Ridiculous DHS bulletin criminalizes people using “advanced search techniques” on company websites


So now searching a ‘COMPANY’ website can be deemed malicious, are they going to charge us as a terrorist? This is ludicrous!

Are we all criminals in the eyes of our government?

“Google dorking” has become the acknowledged term for this malicious activity, but it applies to any search engine with advanced search capabilities. By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities. For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.

The bulletin warns that malicious cyber actors can use these techniques to “locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks.”  Hackers searching for “specific file types and keywords . . . can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities.”

Moreover, “freely available online tools can run automated scans using multiple dork queries” to discover vulnerabilities.  In fact, the bulletin recommends that security professionals use these tools “such as the Google Hacking Database, found at http://www.exploit-db.com/google-dorks, to run pre-made dork queries to find discoverable proprietary information and website vulnerabilities.”

Several security breaches related to the use of “advanced search techniques” are also referenced in the bulletin.  One incident in August 2011 resulted in the compromise of the personally identifiable information of approximately 43,000 faculty, staff, students and alumni of Yale University.  The information was located in a spreadsheet placed on a publicly accessible File Transfer Protocol (FTP) server and was listed in Google search results for more than ten months prior to being discovered.

Another incident in October 2013 involved attackers using Google dorking to discover websites running vulnerable versions of vBulletin message board software prior to running automated tools that created administrator accounts on the compromised sites.  As many as 35,000 websites were believed to have been compromised in the incident.


The FBI/DHS currently has 77.7 million individuals on file in its master criminal database-or nearly one out of every three American adults:

Over the past 20 years, authorities have made more than a quarter of a billion arrests, the Federal Bureau of Investigation estimates. As a result, the FBI currently has 77.7 million individuals on file in its master criminal database—or nearly one out of every three American adults.

Between 10,000 and 12,000 new names are added each day.This master database is accessed by thousands of employers running pre-hire background checks, as well as by banks and landlords. One moment of stupidity, even if it never results in time served, could derail someone’s life. Arrests are damaging, even if it’s ultimately determined that no criminal activity occurred. How many thousands of people are being turned down for loans or rejected by landlords simply because a cop made up BS charges to arrest a photographer or deployed handcuffs instead of responsible crowd control?

When Precious Daniels learned that the Census Bureau was looking for temporary workers, she thought she would make an ideal candidate. The lifelong Detroit resident and veteran health-care worker knew the people in the community. She had studied psychology at a local college.

Days after she applied for the job in 2010, she received a letter indicating a routine background check had turned up a red flag.

In November of 2009, Ms. Daniels had participated in a protest against Blue Cross Blue Shield of Michigan as the health-care law was being debated. Arrested with others for disorderly conduct, she was released on $50 bail and the misdemeanor charge was subsequently dropped. Ms. Daniels didn’t anticipate any further problems.

But her job application brought the matter back to life. For the application to proceed, the Census bureau informed her she would need to submit fingerprints and gave her 30 days to obtain court documents proving her case had been resolved without a conviction…

She didn’t get the job.

This is one case out of thousands. Exacerbating law enforcement’s enthusiasm for making meaningless arrests is the fact that no one involved in maintaining the criminal database is interested in making sure it only contains convicted criminals. Documentation of arrests aren’t removed when charges are dismissed and information on cleared individuals is seldom forwarded to the FBI by local police departments.

And it’s not as though false arrests are the exception to the rule. According to research done by the University of South Carolina, it’s more of a coin toss — 47% of respondents who were arrested were never convicted and 25% were never even charged.

This callous disregard for the falsely arrested places the burden on those harmed by law enforcement’s wrongful actions to clear their names, which in our criminal justice system is an entirely uphill battle.

In October 2012, Jose Gabriel Hernandez was finishing up dinner at home when officers came to arrest him for sexually assaulting two young girls.

Turns out, it was a case of mistaken identity. In court documents, the prosecutor’s office acknowledged that the “wrong Jose Hernandez” had been arrested and the charges were dropped.

Once the case was dismissed, Mr. Hernandez assumed authorities would set the record straight. Instead, he learned that the burden was on him to clear his record and that he would need a lawyer to seek a formal expungement.

“Needless to say, that hasn’t happened yet,” says Mr. Hernandez, who works as a contractor. Mr. Hernandez was held in the Bexar County jail on $150,000 bond. He didn’t have the cash, so his wife borrowed money to pay a bail bondsman the nonrefundable sum of $22,500, or the 15% fee, he needed to put up. They are still repaying the loans.

Notably, there are no corresponding negative results for police who arrest the wrong person. It’s always an “honest mistake” even when nearly half of their arrests never result in convictions. It’s the citizens who need to spend their time and money (which, given the economic background of those most likely to be arrested, are generally commodities in short supply) trying to convince potential employers, landlords and banks that they’re not actually criminals.

The difference a false arrest can make in one person’s life is devastating. According to the Wall Street Journal, someone with an arrest on their record is only half as likely to own a house and twice as likely to be below the poverty line by age 25.

Ballooning law enforcement budgets have combined with bad ideas like zero tolerance policies and “broken windows” policing to turn arrests into a near inevitability, especially for citizens who aren’t white… or document police activity… or engage in First Amendment-protected speech. There’s no path guaranteed to keep your record from being blighted by a trumped-up charge or an arrest that leads nowhere. To those who control your future — employers, landlords, banks, college admission offices — it all looks the same when the background report comes in. The FBI is barely interested in ensuring its criminal database only houses data on criminals and local law enforcement agencies seem to be totally disinterested in clearing those wrongfully charged.

Once again, the public is expected to do the legwork if it ever hopes to climb higher than the lowest rung in our nation — guilty even if proven innocent.




7 thoughts on “Ridiculous DHS bulletin criminalizes people using “advanced search techniques” on company websites

  1. “…can use these techniques to “locate information that organizations may not have intended to be discoverable by the public…”

    Then they shouldn’t have posted it on the internet. Does this “information superhighway” belong to the people, or the corporations?

    As far as the government is concerned, nothing they say or do should ever be hidden from the public.

  2. This is what problem, reaction, solution to “SECURITY BY OBSCURITY” looks like.

    oath breaking retards witch hunt is more like wtf is goin on

  3. I will give the LOW budget solution.

    echo “DENY FROM ALL” (right arrow) .htaccess

    okay, you should have a new file called .htaccess (yes there’s a dot)
    in that file should be 15 characters “DENY FROM ALL” (in caps)
    now try to get to that file again. Oh you did Encrypt your file Right? Right?


    1. See I am a DUMMY.. 15 characters lol omg I just saw that…

      Maybe not fifteen characters eh?
      Don’t make me count.

  4. I will leave today with one last thought,

    encrypted, port-knocked (e.g. SPA’d), on-the-fly symlinking/unlinking, of exact target[s]

    I’M off to the garden then

  5. BAHAHAHAHA!!! ROLMFAO!!! Criminalizing people for using an advanced search engine.

    So I’m supposed to waste my time looking for something that would take me five seconds if I used an advanced search engine. Otherwise, that would make me a criminal?

    OMG……. 🙄 (shaking my head in disbelief) Really, how do the minions at DHS live with themselves? I just don’t get it. They’re truly in their own little world.

    They must spend all their day in meetings trying to figure out what kind of pointless statements they can make to instill fear and create a terrorist threat on the public each day because I seriously don’t know what the hell else they do for a living.

    What’s next? People who use Apple computers are more likely to be a terrorist than a person using a Microsoft computer? Or how about if parents have a girl instead of a boy, they would be most likely be terrorists? I mean come on, people. This is pathetic.

Join the Conversation

Your email address will not be published.