Hacker News new | past | comments | ask | show | jobs | submit login
Shodan: The scariest search engine on the Internet (cnn.com)
504 points by cpeterso on Apr 8, 2013 | hide | past | web | favorite | 144 comments



Eagerly awaiting the moment someone at CNN finds out about Metasploit. I'd like to think of it as a kind of "Dark Firefox".


Love this:

http://www.metasploit.com/about/penetration-testing-basics/

"You can become a penetration tester at home by testing your own server and later make a career out of it."

Sounds like the old style correspondence school ads - a bit hokey.

http://www.thefreedictionary.com/correspondence+school

I would have rewritten that as:

"Many people have actually made a career out of being a penetration tester by first testing their own home server"


You can absolutely learn to do penetration testing on your own time with your own servers. We have a script we give people to do the same thing. If you feel like you have a knack for systems programming, being a good systems programmer is 1/2 the hard part of appsec; the other 1/2 is literally "taking pleasure in finding creative ways to break things", and you can find out if you have that personality streak in just a couple hours of trying attacks.


Agree. Fully understand the ability to self learn (and have done that with almost everything I've ever made a dollar on despite going to one of those good business schools which is why people think I make money rather than other qualities).

My comment strictly related to the style of what they were saying (and how I might rewrite that) I think it's a great idea.


When you say "a script" what do you mean? A script that configures a server incorrectly to let you see the kind of things you can do?


I think he refers to a teaching script, as in a series of exercises.


Is this script available? Thanks


Shoot me an email.


Would be interesting to offer this script as "ptaas" penetration testing as a service. That way instead of having the script and having the potential to abuse the script (or temptation) someone would be forced to allow tracking of the IP (presumably their own or their companies) that they are doing the testing on (and you could compile statistics for use elsewhere as a condition if they got the script for free). I know companies already offer this service (we had to go through one of those for PCI) but iirc it was rather expensive. FWIW the bank that required it never followed up after the initial "you have to do this and we suggest this particular company".


http://gogd.tjs-labs.com/show-picture?id=1160663127&size...

"By and large, Management agrees that there is but one adequate solution to the problem ... a solution that can be applied only by Management itself."


There was way less cowbell in that picture than I expected.


I think Firesheep is more of a "Dark Firefox".


I apologize for the downtime/ delays, this was a big surprise this morning and I clearly wasn't prepared for the full on-slaught of CNN etc. If you have any questions about Shodan I can try to answer them here.


It would kill your business eventually so it may me a naive question but : do you need volunteer work to help identify and warn those insecure networks ?


Yes, I encourage security researchers to always notify the relevant network operators/ authorities if they make an interesting discovery. And that data is always provided for free to agencies such as the CERT. At the end of the day I would like to think that Shodan helps make the Internet a safer place by having smarter people than me find critical infrastructure, and then notifying the operators so things can get fixed. There will always be security issues as long as people are deploying them, so I'm not worried about Shodan becoming obsolete.


Maybe you could provide some place to keep track of who has been notified ? Or even better : handle a "report" form yourself, so sources are notified only once and wild internet don't know if source may be watching its logs or not.


I guess you should feel free to do so. It takes away lots of fun for highschoolers though :P


Also, sorry for highschoolers, but this is for their own good :)

I had my own "let's see what we can do" youth, and sure thing it is very insightful. If we were talking only about business damage, I would say : "well, they desserve it". But we're not.

What do you think would happen if tomorrow, news headline was : "Massive oil truck crash kills 10, caused by hacker tempering with traffic lights." ? Repressive laws against any kind of computer toying would become even harder, and our highschoolers may go to jail for simply trying to have fun.


Well, it would be way better if we could add some kind of "source notified" flag directly on the database, we do not want to add mail flood to security breach. :)


+1 for the System Shock reference :)

http://en.wikipedia.org/wiki/System_Shock


Gah, still get creeped out watching the System Shock 2 intro.

http://www.youtube.com/watch?v=MXPn6wcsUmk

Let's hope this Shodan isn't as intelligent and psycho as System Shock 2 Shodan! Oh, and no zombies.


"Lo- lo- lo- look at you hacker.."

I've beaten this game at least 4 times, including co-op a couple times. Such a great piece of gaming history.


Man, I found that game to be _very_ bad for my nerves in the 90s.


Me too. Scary game. Nothing else has come near to it.

As a tribute, my workstation and laptop are names xerxes and shodan.


Same here. Windows PC is Xerxes, after the AI that gets completely overtaken, and linux server is shodan, the AI that thinks it's smarter than it really is. Linux laptop is polito, the human identity that Shodan assumes for a while (ie 'little shodan')... and the wifi network that carries everything is the 'vonbraun'... :)


Have you played Amnesia: The Dark Descent?


Disappointing, though, that the CNN writer didn't manage to suss out the project's apt namesake.


Gog.com recently released it for new systems: http://www.gog.com/gamecard/system_shock_2

Apparently it works well under wine, too.


It sort-of worked under wine for some graphics cards.

If you can get it to run, you should check out the Thief games as well. They use the same engine.


mhm sorry as i don't know so much about this, but how is this different from google?

meaning that with a specific search in google i can find for example all kinds of cameras or systems one shouldn't find, e.g.:

-) http://preview.tinyurl.com/34959u

Maybe Shodan "focuses" on that, but they can't possible index more of those things than Google already has...

Can you find one single thing over Shodan you can't with a specific Google search? (maybe you find such things more easily with Shodan...)

EDIT: More information on Shodan:

-) Defcon Presentation [pdf]

https://www.defcon.org/images/defcon-18/dc-18-presentations/...

-) Secanalysis.com

http://secanalysis.com/a-brief-analysis-of-shodan/

JoshuaRedmond beneath also provided interesting links


I could be wrong, but I believe Shodan actually portscans the entire internet, whereas Google only crawls known URLs. They also index HTTP headers, which Google doesn't do.

It's run by our very own achillean: https://news.ycombinator.com/threads?id=achillean


Sounds like they also attempt to authenticate using default user/pass combos.


No! I do NOT try to authenticate with username/ password! The only exception to that is for FTP, where I try to do an anonymous/anonymous connection (identical to what Firefox etc. do). I put a lot of effort into making the crawling as benign and unobtrusive as possible, so I definitely do NOT try to brute force devices.


Is that legal? I've seen all kinds of analogies like "if your neighbor leaves the front door unlocked..." or "but if you go down the street testing each lock..." but never anyone who really knew what actual criminal law says.


It is a grey area, at least in the US. The main federal law for computer crimes is the ancient Computer Fraud and Abuse Act. The provisions of the act state all work off the concept of "exceeding authorized access" - but the law never defines what authorized access actually is. Logging in with a default username and password has never been tested in court, as far as I know, and I think there are arguments to be made for both sides about whether that counts as authorized access.


Look at what happened to the guy who was able to access Sarah Palin's account, because her secret questions were basically googleable.

(Today,) that's just cruisin' for a bruisin'.


I'm not an expert in it by all means, but from what I've seen it is like having Google log all the http headers and servers connected to requested as well. This means that it is incredibly easy to, for example, track down certain servers with a certain exploit that you know about [1], or complete systems that shouldn't really be attached to the internet in their current state [2]. Not sure either of those are possible with Google.

[1] - http://erratasec.blogspot.co.uk/2009/12/shodan-scares-me.htm...

[2] - http://www.zdnet.com/blog/security/shodan-search-exposes-ins...


> Can you find one single thing over Shodan you can't with a specific Google search?

The entire rest of the Internet? Google is great at crawling HTTP and HTTPS, but the Internet is more than the web.


Here's an example from early 2012 that I don't think would have been possible with Google:

http://console-cowboys.blogspot.com/2012/01/trendnet-cameras...


...followed the first link and finally learned what people use java applets for :)


Presumably Shodan ignores robots.txt, right?


I don't crawl for URLs so it doesn't really factor into the equation for me.


A "bad" search engine should treat robots.txt pretty much in reverse: Anything disallowed should go to the top of the list of things to index.. There are sites out there that uses robots.txt rules to prevent Google from indexing things that should be password protected but isn't...


The irony is that robots.txt doesn't even prevent things from being indexed. The files can still be indexed if there's a link to them on the Internet; that's what <meta noindex> is for. (Which, ironically, requires that the page not be robotted, because if it is it can't be crawled, which means the meta tag can't be discovered.)


Crazy idea, if you don't know what you're talking about, shut the hell up.


it was an honest question and i don't think your reaction is appropriate behaviour for this site.

If most think my comment is worthless, the voting system will make it enter the void. If others think it isn't it will be upvoted. That's how this site works.

Just responding with "Shut up" adds nothing to the discussion and is something i am shocked to see on this site :(


Look at the username - likely a purpose built troll account. Not the first I've seen on HN, but it's happening more than it used to.


That's funny. I thought cobrausn was a "purpose built troll account."


On the contrary, I think it's simply a snake enthusiant with a maritime affiliation.


Hah, half right and a good guess. Since we're on the topic, I always read your name as 'Max Payne'.


Well, that's far better-sounding than the reality, so please continue to do so!


No, but YMMV.


I used to be able to tell people like you to go back to Reddit. Unfortunately the quality of HN has declined far enough that your content-free insulting of a decent question is not immediately recognizable as something with no place here.

I consider that fact a sad commentary on how far HN has fallen.


Responding to trolls probably does more to decrease the quality of discourse than the original troll does, since those typically get voted into oblivion relatively quickly.

Tossing in a belittling jab at another website to boot doesn't help either.


I'm a relatively new HN reader (~1 year) and have taken much away from my time here (much reading, few comments). I understand where you're coming from with concerns about quality; however, I resent the fact that I may be considered part of the increased readership responsible for "HN's decline"


Hopefully knowing my fuller opinion will decrease your resentment.

I suspect that new users follow something like an 90/10 rule. 90% of them are good to have around, and contribute more than they detract. New blood is good. But 10% contribute junk that is like virtual cholesterol, it builds up, clogs the system, and if left untreated eventually will be lethal to the community. of that 10%, perhaps 10% are simply toxic waste that you want to get rid of, and 90% just need encouragement to fit in better.

I sometimes comment on egregious comments by the 10%. You've reminded me that I should more often acknowledge the existence of the 90%, and on my hope that the 10% I'm looking at are part of the redeemable 9%.

There is an observation that goes back centuries, which applies here. The observation is that if you pack a barrel of apples and there is even a single bad one, the whole barrel will spoil. But if every apple is good, the barrel will remain good for the entire winter. Thus, "don't let a few bad apples spoil the barrel". We want the apples, but none of the bad ones.

Unfortunately the advent of refrigeration has caused us to forget the original wisdom and the saying is currently used as the exact reverse of its original meaning ("oh, it was just a few bad apples").


During packing we were still checking all the pears for injuries ("stem punch", caused by other pears), since apparently it would spoil the whole box if there was a bad one. (Packing pears in New Zealand for export to Europe and the US) - On a commercial and longterm scale you apparently still have to take care.


Rotting fruits release ethylene gas which is a ripening agent. This causes fruit next to rotting fruit to ripen then rot.

An interesting mechanism I think. Before looking that up I would have suspected a biological transmission of infection or something, not a chemical transmission.


I've been lurking HN for awhile now, and complaints about HN's decline were going on even years back when I was first introduced to the site...


That's how all communities work though. As a community grows and attracts new members, the old guard moan about how it was better when they were noobs.

In fact this is true for real -"offline"- life as well.


Complaints about HN decline have been going on since I first started visiting this site in 2007.


What would happen if HN were split into sub-communities like reddit?

Also saying reddit doesn't have quality discussion is a bit unfair to the minority of subreddits that do.


Or ask an informed group of readers for clarification?


actually people have been posting google searches to find exposed home ip camera systems and the like for years.


Affirmative. I've been using Google "Dorks" for years.


Dude, what the heck?


For similar coverage about finding barely-secured devices that shouldn't have ever even been connected to the Internet, check out the Security Now! podcast, episode 396 - The Telnet-pocalypse:

http://www.grc.com/securitynow.htm

Transcripts are available in several formats:

http://www.grc.com/sn/sn-396.htm

http://www.grc.com/sn/sn-396.txt

http://www.grc.com/sn/sn-396.pdf


http://youtu.be/5cWck_xcH64 is a really good presentation about what you can find on shodan.


But he added that cybercriminals typically have access to botnets -- large collections of infected computers -- that are able to achieve the same task without detection.

What do botnets have to do with crawling the web for unsecured devices? I'm not sure I understand the correlation.


The article is full of technical misconceptions, but if I had to guess:

1) Botnets give you a ton of bandwidth to run port scans or crawling searches.

2) They also allow you to "map" port scans or searches over thousands of computers (e.g. one computer in the botnet scans one specific port times ten thousand ports), obscuring the fact that a scan is even occurring.


Funny enough that question was answered in a rather public way just a few weeks ago: https://news.ycombinator.com/item?id=5404642 (Researcher sets up illegal 420,000 node botnet for IPv4 Internet map)


I did read this article a few weeks ago but seem to have forgotten its link to my question.

Thank you for the reminder.


I think it's because you can use botnets to divide up the vast IPv4 search space among the individual bots and crawl it exponentially faster.


Exponentially?


I think exponentially is the new literally.


If you assume the bots are infecting hosts they scan, then yes.


From Wikipedia: SHODAN (Sentient Hyper-Optimized Data Access Network) is a fictional artificial intelligence and the main antagonist of the cyberpunk-horror themed action role-playing video games System Shock and System Shock 2.

http://en.wikipedia.org/wiki/SHODAN

Kinda cool they chose that name.


Hardware manufacturers should ship their devices with a piece of paper printed with a unique UID and password. Not "admin/1234".

The owner would have the ability to change these at will, and resets would revert to the original UID/pw combination.

Lost your piece of paper? Send the device back. No more trivial hacks.


My Netgear Router N600 does exactly that. There's a nice laminated sticker on the bottom with the admin password.


Most of those types are some sort of hash of the MAC which are quickly reversed. A quick search will contain many fruitful examples. How else do you think the default password ends up the same on a system reset?


Yeah, but at least it's not trivial to learn the MAC of a system across the world (right? I admit I don't know a whole lot about this.) Anyone sitting on the LAN so that they know the MAC likely has other attack avenues anyway.


The MAC has to be stored in flash so why not a password?


Usually the MAC is stored in the network card's flash while the system image is stored in a different flash altogether, which is often cheaper if you can find a way to get away with making them all exactly the same.


Not on new SoCs, where there is only one flash and indeed the ethernet is on the CPU. Which is what these devices are.


1) Are you sure that MAC is actually coming from that one flash that netgear's programming? The real datasheet for the AR7161 isn't public as far as I can tell, but very few SoCs require the end user of the SoC to write their own firmware to provide their own MAC. That type of thing is usually stamped in at the SoC factory. Commonly, it's on a ROM or other OTP memory somewhere, but without the datasheet, I can't tell for sure. And the process which programs that information in is likely separate from the process which programs netgear's firmware in. If you've signed the requisite NDAs and have access to the datasheets, then you may know more, but I still don't think that's a common setup and I doubt netgear would write their firmware assuming that setup.

2) Even if we lived in a world where netgear was doing all this for MAC addresses on SoCs anyway often in computing the question isn't why something isn't done now, but why it was done that way the first time someone wrote it. Build systems, factory processes and other legacy cruft build around a certain way of doing things and often those ways become the way even if new technology makes other ways more simple later.


That would make the devices more costly to produce and would raise prices. I know that ISPs do this with their devices sometimes, but some companies will cheap out and will just ship with a generic username and password since they only have to flash one single ROM image.


It shouldn't really. I mean, it's not like devices don't come with at least 3 or 4 unique IDs for different purposes. Just using one of those for the default password or adding a new ID shouldn't be that big of a task.

I know that this is how some of the router/modem combos from french DSL providers worked - the admin and WPA passwords are two seperate UUIDs printed on the device.


The gateways provided by the cable ISPs here in Western Canada tend to have unique passwords. It would be prudent on the part of the device manufacturer to just create a scheme for creating default passwords based on the unique serial that the device has and then just print labels for each and have the default ROM just sort it out upon it being powered up for the first time.


They can flash a single ROM image, create a random password on the device , and just by adding a led , they communicate said password to a mobile app, when needed.


Good luck with that model. There are many better ways to approach this via things like captive portal that does good enforcement of the user setting good parameters up front before just plugging and playing. The vendors should not allow any Internet access until the device is secured appropriately or the user acknowledges insecure defaults.


I wonder, why noone turned off traffic lights or something like that to do mischief?

Also, why no terrorist yet used those security failures to do terror?

Once a random dude managed to log into ISS controls... Ever wondered what happens if some terrorist crash ISS into New York?


At least over here, traffic lights fail and turn off on their own, no need for hackers :) . Now, fixing them (for example setting up a "green wave"... hmm that could be a more interesting use :)

http://en.wikipedia.org/wiki/Green_wave


I'd like to see the local lights reprogrammed to follow the legal guidelines instead of short yellows to maximize traffic ticket revenues.


Consider yellow to mean "stop", and the length of it becomes irrelevant and the roads become a little bit safer.


For each given stop light, speed limit, and vehicle configuration, there is a rubicon that is crossed where it is impossible to stop before entering the intersection. Set up your camera and creep the yellow light time down past this limit and profits just start rolling in.


Exactly. There's uncountable number of stories easily google-able across the country where intersections with red light cameras magically coincidentally have their yellow light interval dropped by 1/4 to 1/3 vs intersections without red light cameras, to increase revenue.



You should also glance in your rear-view mirror to verify that the car behind you follows the same rule before you commit to stopping. Simple rules about traffic safety usually need a little tweaking IRL...


No. Yellow tells you to go faster.


a fellow Italian driver?


just because there is an html page being served doesn't mean you can access the control systems.

you're also assuming no one has done it - I have no idea wether or not someone has used shodan for malicious purposes, but that certainly doesn't mean it hasn't happened.


I read a novel in the late 1970s where a "hacker" breaks into a city's computer system and messes with traffic lights - does anyone remember the title? In the novel, the modified traffic light timing kills some joyriding teens who blow through an intersection counting on the light to stay green. At the climax of the book, the villain tries to kill off the protagonists by electronically locking the data center doors and triggering the CO₂ fire suppression system. Does anyone else remember this book? Was this "The Terminal Man" or am I mixing up two books?


Just in case anyone ends up here, the book I was thinking of turns out to be the rather obscure novel "Intruder" by Charbonneau from 1979.

More info on the book: https://www.kirkusreviews.com/book-reviews/louis-charbonneau...


I don't think you could crash the ISS into New York. I don't even think that's possible. It doesn't have the engines necessary to get back to the surface.


Getting down is way easier than getting up.

ISS has some engines, crashing on earth is very simple, you can just thrust in the opposite direction that you are going (thus falling into the planet, although slowly and probably astronauts can find the attacker and put it back into orbit before anything serious happens) or you can trust in a diagonal of sorts, to slow your speed AND toward the planet (if you just accelerate toward the planet is more probably that you will only create a elongated orbit, and if you insist, you will slingshot out of orbit).


It seems like the harder part would be hitting New York. You could crash the ISS somewhere on Earth pretty trivially, if you had the controls.


Assuming they didn't, you know, disconnect you while you were doing it. There are actual people up there; presumably they have manual overrides.


Right. I was assuming/implying a lot by saying, "if you had the controls." In the hypothetical where you have complete control of the ISS (despite manual overrides, et al), you'd still have a very hard time hitting a specific target on Earth. You could crash the thing fairly easily though. That's all I meant to say; I understand that this isn't a practical reality.


Yup, I understood. I was just adding a thought about how it was even more impractical than your comment suggested. Wasn't arguing against your point itself.


I'm not sure the ISS has enough delta-v to get back down quickly. Lowering the orbit enough so that it will fall down in a few weeks is probably possible.


It's likely that a decent orbital dynamics model and a relatively small, well-timed delta-v would bring the ISS down within a rater small planned impact area. It wouldn't be necessary to decelerate very much to accomplish that. Remember that the ISS must periodically boost its orbit to compensate for frictional losses, on that basis it can be assumed that the craft's dynamics are well-understood:

http://www.heavens-above.com/IssHeight.aspx


No because the ISS would burn up way before it hit the ground.


There would be debris hitting the Earth. It's too big to completely burn I think.


Perhaps, but ~70% of the Earth is empty ocean, and lots of the remainder is relatively empty landmass (huge deserts, unpopulated areas like Siberia, etc.), so just from a statistical perspective the odds of something that survives re-entry hitting a populated area without remote guidance are pretty slim.


Russia called, they said no.


Slim, not impossible.


" The good news is that Shodan is almost exclusively used for good.

Matherly, who completed Shodan more than three years ago as a pet project, has limited searches to just 10 results without an account, and 50 with an account. If you want to see everything Shodan has to offer, Matherly requires more information about what you're hoping to achieve -- and a payment. "

How does the fact that he charges for it mean that it's "almost exclusively used for good"? I would argue there is very little incentive to pay for something like this unless there is a monetary gain.


Actually, a lot of companies use Shodan data for research! For example, if you want a training set for your new webapp fingerprinting software then loading Shodan might be a good start. Or if you want to create whitepapers for your business, to drive sales for a specific product/ service, then Shodan can provide some empirical data to back up your claims. As was demonstrated with the Internet Census 2012, for people with bad intentions it's easier and much less attention-getting to just use a botnet (plus you don't need to go through the typical business agreements as you would with me). I hope that clarifies it a bit!


I seem to remember Matherly saying that he charged larger institutions who need lots of data for legit research. He also (as of a year and a half ago) said that he was basically breaking even.

I guess a university security researcher is looking for monetary gain in the form of grants, though.


"Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan."

How can there be any conceivable reason to connect these systems to the internet? Do they WANT an attack right out of a technothriller novel or the latest James Bond film?


Many embedded systems run Linux and are frequently attached to the netword for remote control. The root passwords aren't usually changed on these Linux boxes, so they are a wide open security hole.

Many companies pay attention to this sort of thing and make an effort to isolate these kind of devices to the local intranet. For every company that is it good about it, there are probably 10 that aren't even aware of the issue.


This is awesome, I never knew such a thing existed! But it's also quite alarming that so many devices are connected to the internet/computers that probably shouldn't be.

So my big question is: Is there a way to solve this 'security failure'? And if so, what is it/is it feasible? For someone with malintentions, Shodan seems to be golden.


It used to be fairly costless to ship products without security. It still is but the more attacks there are the more incentive there is to fix stuff. But there are so many more online devices shipping...


Part of the problem too is that when a particular product is compromised, most people stop at "Product X sucks" and don't ask themselves if the same vulnerabilities are present in products they themselves use.

As an example, take WordPress. I talk to people all the time who say "oh, WordPress isn't secure" even though the reasons most WordPress sites get hacked are due to practices that would make you vulnerable no matter what CMS you run -- not keeping up with security patches, running unneeded services on the server, not putting the admin area behind SSL, etc. But there's lots of people who move from WP to, say, Drupal and think that's made them secure, even as they continue doing all those same practices.


A nice article regarding the deep web is this one from fravia http://search.lores.eu/deepweb_searching.htm. It's from 2008 but I guess there is still some information there that is useful and relevant with Shodan.


More sensationalistic headlines? Shodan is nothing new, and I find nothing "scary" about it.


I've been playing with the data from the Carna botnet output[1]. Basically someone scanned a massive portion of the Internet using broken routers as bots. There's some interesting finds in the data but analysing it is quite awkward given the size. Shodan is interesting but unless you take up a subscription is pretty limited.

[1] - http://internetcensus2012.bitbucket.org/paper.html


Actually, more than 90% of the website's services are completely free! There are only 2 services that I charge for: HTTPS and Telnet. All of the new stuff for the past year I've added and made available for free. And with the Developer API you can easily access the data from within your own scripts.

Oh, and I've seen this in a few locations now but: NO SUBSCRIPTION REQUIRED. All of the stuff that's sold on the website is a one-time charge. There are no subscriptions on the website :)


That's interesting and I stand corrected, I was under the impression for some reason that subscriptions existed. As an aside, have you had a look at the Carna botnet output, and if so how does it compare to your data?


This is incredible! Unfortunately, Shodan itself appears to be down at the moment, presumably due to traffic from CNN. Awesome nonetheless.


It's fully up and running again after hours of putting out fires :)


I'm giving it a shot right now. It's not down, but very slow. Site's been loading for two minutes now.


could anyone register for a new account? all I get is a 405 not allowed.


That problem has been fixed! I made an error in configuring nginx for memcached and it ended up treating certain pages as static (which prevents them from getting POST requests).


which brings up the legal question (based on the ATT 3 year jail sentence):

When is a admin/password login not acting as a admin/password login at all?


They also missed ERIPP, which does something similar. This is all old news though, these things are constantly mentioned in other security reports. Even the government knows these things exist, which means that CNN is not scouping anyone :)


ERIPP is cool (I spoke to the author years ago), but to my knowledge it hasn't been updated in a while. And I cover 20+ services at the moment, so it's not just HTTP.


ERIPP v2 coming out in a (maybe) few weeks, and even though its current data is oooooold its been written up in the last month or two.

In general, It is pretty humorous that these things still catch people by surprise :)


Looks like it's down: http://imgur.com/TqeYX95

Wonder if that's just because of the publicity, or is someone DoS'ing them.


It's a variety of factors that is causing downtime at the moment. The main culprit is the network itself at the moment, and I'm still trying to put out fires to hopefully make the website a bit more stable.


Even scarier is how fast their servers fall over :)


Authorization is hard, so why bother doing it at all?


OT: CNN broke the back button in Chrome on Windows.


I could be wrong but the article reads like a paid for PR piece[1] to get publicity for this search engine.

[1] http://www.paulgraham.com/submarine.html




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: