Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
The Courts Government News Your Rights Online

Reuters Accused Of Hacking For Typing In URL 569

Posted by timothy
from the permission-granted-or-denied dept.
Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."
This discussion has been archived. No new comments can be posted.

Reuters Accused Of Hacking For Typing In URL

Comments Filter:
  • by jukal (523582) on Tuesday October 29, 2002 @04:26AM (#4554264) Journal
    What if you get the link for the yet unpublic page from the referrer logs of your own site, for example www.reuters.com -logs. Would using that information be criminal?

    Here's [slashdot.org] a related thread from yesterday.

    • by technix4beos (471838) <cs@cshaiku.com> on Tuesday October 29, 2002 @04:32AM (#4554289) Homepage Journal
      If their webserver is attached to the internet in any way, then anything it is "serving" is fair game, and should thus be protected appropriately.

      This story sounds like someone got careless, and didn't lock down the folder the data lived in.

      Sounds also like someone (their admin?) is trying to cover up the error by reporting to his (clueless?) bosses that obviously it was hacked, else how could they -ever- get that information, right? (yeah, right.)

      Perhaps the admin should check out this handy url and order his copy soon.

      http://www.amazon.com/exec/obidos/tg/detail/-/18 61 007221/qid=1035883929/sr=8-2/ref=sr_8_2/104-261132 8-8021524?v=glance&n=507846

      I know I did, and it's invaluable.
      • by isorox (205688) on Tuesday October 29, 2002 @05:37AM (#4554483) Homepage Journal
        If their webserver is attached to the internet in any way, then anything it is "serving" is fair game, and should thus be protected appropriately.

        While I'd normally agree, if its protected by some kind of protection (htaccess) - even if its really weak, accessing in would be cracking, same as if a door in a house is open, you still cant nick the TV.

        Of course in this case google would have spidered the report before long and they cant prosecute an automatic robot can they?
        • by gazbo (517111) on Tuesday October 29, 2002 @06:00AM (#4554542)
          No, Googlebot needs a link. If it is inaccessible through hyperlinks, Googlebot won't even know it existed. Of course, if it followed Reuters link then it would have found the report, but then that's the whole point of the legal action, isn't it?
          • by Xentax (201517) on Tuesday October 29, 2002 @08:59AM (#4555208)
            I'm not an expert on Search Engine Backends (IANA...ahh screw that).

            But, wouldn't most search engines also at least try to grab index.html on directories in which they've found other files?

            Of course, I doubt that's what happened here. From what I can tell on the "victim" website, Reuters just guessed what the URL for the report would be. Who hasn't done that before, in some way or another (e.g. guessing what a broken URL was supposed to be)?

            There's clearly NO access control here, except a shining example of how security through obscurity is NOT security at all.

            Xentax
          • by tzanger (1575) on Tuesday October 29, 2002 @10:54AM (#4556104) Homepage

            No, Googlebot needs a link.

            No, it doesn't.

            Google plays tricks with servers. With apache, for instance it tries the venerable www.site.com/?M=A and ?S=D, ?N=A etc. tricks. If Apache isn't locked down, it'll happily bypass index.html and give you directory listings, and then spider any subdirectories using the same method. I had several of my unpublished directories found by google this way.

            • by Qrlx (258924) on Tuesday October 29, 2002 @11:37AM (#4556430) Homepage Journal
              What about the Google toolbar? I'm not sure what that thing is all about, BUT...

              I was running the Google Toolbar, and I had some un-linked content on our live web server. Then my boss just happened to be searching for some of that info on Google, and bam! The "secret" pages on our web server show up! Content that was indeed on the web but did not have any outside hyperlinks pointing to it was being cached by Google.

              How did Google find it? The only thing I can think of is that the Google Toolbar noticed that I went to that unpublished URL and "phoned home." (By the way, the web server is running IIS 5.0/Windows 2000, so I doubt those Apache tricks would work, though there must be similar tricks for IIS.)
        • by Black Parrot (19622) on Tuesday October 29, 2002 @08:03AM (#4554929)


          > While I'd normally agree, if its protected by some kind of protection (htaccess) - even if its really weak, accessing in would be cracking, same as if a door in a house is open, you still cant nick the TV.

          No, the correct analogy is "if you stand naked in your doorway you can't complain about everyone seeing your naughties".

    • by jmo_jon (253460) on Tuesday October 29, 2002 @08:03AM (#4554922) Journal
      Imagine this scenario:

      An employee of a company takes their earnings report to a trainstation and leaves it there. A random person who happends to be a journalist picks it up and reads it through. He realises that this is dynamite since his paper will be the first one printing it so he decides to print it.

      Now will that journalist be guilty of espinage or will the employee at the company be the one to blame? I think none doubts it will be the employee making the mistake and I can't see the difference in puting it on their official website. Of course none knows what it is and it's hard to find just like a random paper in a train station. But the fact remains, someone at the company put the secret paper in a public forum in which someone happend to find it.

      I wonder what will happend if they win the sue. Will everyone linking to a page be forced to check constatly that the site they are linking to still has an 'official' link to the document, or risk facing charges?
  • by Bartmoss (16109) on Tuesday October 29, 2002 @04:28AM (#4554269) Homepage Journal
    It could have easily been protected by .htaccess or whatever. So, they have no case. Let's hope Reuters won't budge, and the judge will have a clue.
    • by passthecrackpipe (598773) <passthecrackpipe ... m ['hot' in gap]> on Tuesday October 29, 2002 @05:51AM (#4554521)
      I don't think this is about security, or .htaccess, or typing a URL, or anything technical whatsoever. This is simply a company that is being *extremely* clever when it comes to Marketing.

      Yesterday, I, as an IT professional that makes purchasing decision for a large organisation, had never heard from this company. Now I know they make Collaborative Solutions. All it cost them was a bogus courtcase with Reuters.

      This is clever marketing, nothing more, nothing less. Anyone can spot the lack of merits of this case from a mile away. Brand and name recognition of this company is soaring though. I wonder how their stock price is taking it?

    • by Sancho (17056) on Tuesday October 29, 2002 @09:30AM (#4555385) Homepage
      This case is actually symptomatic of a much larger problem that the US (and the rest of the world, from the looks of it) face: using the courts and your clout to cover up your mistakes. It seems like it's gotten to the point where if something happens that you don't like, you sue someone. Doesn't really matter who. Filing a suit has become a method of saying "We did nothing wrong, in fact we were wronged." even when in many cases this is simply untrue.
      This company clearly messed up. A news agency got some information (and not by hacking!) and published it. The information wasn't fraudulant. If it was false, it wasn't with a disregard for the truth--after all, it was in a document on the company's website. But the company in question didn't like the fact that the information got out, so they sue the news company.

      Forget terrorism and its effect on "free speech and free press" (right now a mostly US-centric concern) the real danger is big budget corporations who have the money and time to spend taking you to court because they didn't like what you had to say. It's scary, folks, and it's not getting any better.
  • Online or not. (Score:2, Interesting)

    by dda (527064)
    I think that by definition : online measn available, and not linked. If it has to be sanctionned because it was online, then yes, they must be guilty.
  • Are we going to get "internet traffic tickets" now, instead of a 404 error?

  • Ridiculous! (Score:2, Funny)

    by ChristW (18232)
    Oh wow! Deep-linking outlawed, URL-typing outlawed! How long until hyperlinking itself is outlawed? Oh wait, I should ask BT that, since they own the patent on hyperlinking...

    Besides, isn't 'regulating access to private information on a public website' what httaccess was for?
    • Re:Ridiculous! (Score:5, Interesting)

      by Anonymous Coward on Tuesday October 29, 2002 @04:39AM (#4554317)
      Here in Denmark we have a similar (but more serious) case. A micro-payment system called Valus owned and developed by a Norwegian bank (Den Norske Bank) was "hacked" on its premiere day by typing in a simple URL with the command SHUTDOWN at the end. The link to do this was published on an online debate forum and several people tried the link (although it had a warning that you should not try it:-). The problem was missing input validation (maybe the most basic security issue). Until now five people have been taken to court - one of them being the "mastermind" who posted the link. As a reaction to this behaviour Valus has been reported to the state agency for protection of personal data (Datatilsynet) for not securing personal data.
      • There was a similar case in Australia a few years ago, so please forgive me for not going into great detail, as my memory is no longer photographic.

        It seems there was an Asutralian Government site for information about your tax status. You entered your tax file number (same as the US SSN), plus a little more information to verify your identity, and then were shown a page with some tax information of some sort.

        One man noticed that the page he was eventually directed to was http://somethingsomething.gov.au/something.asp?tfn ={his-tax-file-number} and wondered how good the security was. So of course, he types in another tax file number in the address field to test it.

        BLING! Someone else's tax information pops up! No security at all, someone had just dumped this simple database-access script on the web for all to see! He tells someone in the tax department (big mistake) about the security flaw and POW a piano falls on his head. Metaphorically speaking.

        Are there any Aussies in the audience who remember any more details about this one? It was at least 3 years ago.. can't remember the final outcome.
  • Stupidity (Score:5, Insightful)

    by e8johan (605347) on Tuesday October 29, 2002 @04:31AM (#4554281) Homepage Journal
    Quotes are from Intentia's press release concerning the investigation.

    "Reuters News Agency Broke into Intentia's IT Systems"

    I would not call it breaking in to surf on someones homesite.

    "there was an unauthorized entry via an IP-address belonging to Reuters"

    What do they mean, do I have to call them and ask for permission before accessing files publically available on their homesite?

    As Reuters didn't steal anything, but simply pointed at on open window (that they found) I would have to say that their act was not illegal. What they should investigate is their internal safety policies, because they need a revision or two (IMHO).
  • Silly (Score:2, Insightful)

    by Anonymous Coward
    The whole purpose of an internet server is make information available to the public. there are specific provisions for restricted documents and Inertia's ignorance of those provisions is not the responsibility of the people who visit their site.
  • by tunah (530328) <sam&krayup,com> on Tuesday October 29, 2002 @04:32AM (#4554285) Homepage
    If you don't use a hyperlink on a website, are you committing a crime?

    It's not about the existence (or not) of the link, but the source of the URL. While I don't agree with it, I think what they are saying is that if a site doesn't publish a URL (usually through a link, but could be in print, etc) it is not public information and accessing it is unauthorised access. This is the same attitude (if not specific issue) that has a problem with deep-linking [slashdot.org] too.

    • I disagree completely about the source of the URL being the issue. If it is in a folder the web server has been told to publish, anyone could call the information up, perhaps by mis-typing a URL that has been published, say when trying to look at the information for last year (which did have a published URL).

      If your web server hands something out to the public, it is because you made it available. If I fat finger an entry into my browser, am I hacking, or just a bad typist? This all goes back to due diligence on the part of the company. If you are careless with your information, like not shredding it, and someone finds it in a dumpster, you are at fault. This is a key notion of trade secret law, and something similar should apply here. Security by obscurity doesn't work.
  • that's cold man. (Score:2, Insightful)

    by xirtam_work (560625)
    anybody who strays from the 'garden path' of links provided shouldn't be deemed a criminal.

    However, it depends upon what you do with this so-called unpublished material.

    What Reuters did exposed the company to a situation before they were ready. Seems to me like the company should have taken more adequate security such as using htaccess passwords, etc.

    I court I hope Reuters don't get busted for accessing the information, but for publishing details about it. After all I'm sure that the company in question had a copyright notice on all their pages, right?

    • by dipipanone (570849) on Tuesday October 29, 2002 @04:51AM (#4554362)
      What Reuters did exposed the company to a situation before they were ready.

      Which is precisely what you'd expect them to do, Reuters being a press agency and all.

      I court I hope Reuters don't get busted for accessing the information, but for publishing details about it.

      Damn straight. If it weren't for those goddamned financial journalists, I bet Enron would still be trading today. The freedom of the press has got no business interfering with our right to earn a dishonest dollar.

      After all I'm sure that the company in question had a copyright notice on all their pages, right?

      So what? Do you really believe Reuters breached their copyright in the report?

      Get a jar of glue, man.
  • by stud9920 (236753) on Tuesday October 29, 2002 @04:32AM (#4554288)
    Well I do it all the time when browsing pr0n. Suppose you have an url like this one : http://www.hotteenchick.com/free/tgp/melanie08/mel anie08.html,
    it doens't take long to figure out where the other pics are.
  • by toriver (11308) on Tuesday October 29, 2002 @04:32AM (#4554290)
    In my opinion, any HTTP GET request is exactly that, a request. "May I have that resource, Server Sir?". And if the server (which is the thingy that is responsible for allowing or refuseing the request) actually sent the requested resource/document back to the client, it has answered "Yes, you may" by responding with the resource.

    If the publishers of the resource wanted to limit access to the resource they could add authentication, referer checking, or a timestamp check - anything, really. Since they did not, I fail to see how they can have a case.

    "Security through obscurity", like having a non-linked but available resource, is self delusion.

    • by sco08y (615665) on Tuesday October 29, 2002 @05:12AM (#4554417)
      "Security through obscurity", like having a non-linked but available resource, is self delusion.

      That's one of those mantras that get repeated until people believe they're true.

      Fact is, all security is obscurity. Security rests on the notion of a shared secret. Some key that both you and the other guy know.

      In my opinion, any HTTP GET request is exactly that, a request. "May I have that resource, Server Sir?".

      So if I add a login header, is that just another GET request? It's the difference between http://root:12345@www.0wn3d.com/ and http://www.0wn3d.com/.

      Or what if I add an obscure folder name to the URL like sf908h234ff98hs9f?

      You might argue that the actual crime was in obtaining the password, and I agree that (for example) fraudulently claiming to be an employee (psychological hacking) is criminal, but it's a seperate offense.

      That's why breaking into someone's house is "breaking & entry." Even if you don't have to break in, entering is still criminal.

      The problem with "ah well, these guys were just poking around, the publishers should have used proper security" is that it raises the bar of what security is to what we experts think it ought to be. Many people don't have the capability to employ such measures, so we're denying them legal recourse.

      It would cause the same kind of division in society as if we had a law that said burglary doesn't count unless you have an expensive security system.
      • by D+iz+a+n+k+Meister (609493) on Tuesday October 29, 2002 @05:30AM (#4554460) Journal
        The problem with "ah well, these guys were just poking around, the publishers should have used proper security" is that it raises the bar of what security is to what we experts think it ought to be. Many people don't have the capability to employ such measures, so we're denying them legal recourse.

        1. These people are experts.
        2. From a practical viewpoint, it should not have been on that server if it wasn't to be served. Anyone with sensitive data should at least be able to employ that measure.
        3. Why should they have legal recourse against typing things in the address bar of a browser?
      • by j7953 (457666) on Tuesday October 29, 2002 @07:57AM (#4554895)
        So if I add a login header, is that just another GET request? It's the difference between http://root:12345@www.0wn3d.com/ and http://www.0wn3d.com/.

        No. In that case, you're trying to circumvent (by having illegally obtained or by guessing the password) a security measure. (Also see below.)

        It would cause the same kind of division in society as if we had a law that said burglary doesn't count unless you have an expensive security system.

        No. There is a difference between trying to receive information (i.e. trying to have it delivered to me), and trying to actively enter someone else's property. The breaking-in analogy is fundamentally flawed, at least as long as we're not talking about trying to circumvent any security that is installed (e.g. trying to guess passwords -- that would be trying to actively enter).

        Also note that houses (and physical locations in general) usually make it quite obvious whether they're supposed to be public or private. All private houses, even if they have no locks or security systems, have an implicit security mechanism: doors. Even if they're unlocked, closed doors tell most people not to enter unless invited by someone opening the door, or by a sign that tells them it's public. Why do you think most stores have doors that allow you to look into the store, that have obvious "open" signs, and that sometimes even open for you automatically? It's a way of telling people that the door is, unlike most other doors, not intended to keep them out.

        URLs, however, are all designed the same way, there is no obvious difference between private and public resources. The only way to recognize them as private is to request them and see if a password request will show up. And experience suggests that most URLs are public.

        Making it potentially illegal to try an URL will get you into the same legal problems as trying to make a difference between precise links ("deep links") and generic links (links to front pages).

        Some of the questions you'd have to answer are:

        • If you have requested, by following a link, the resource /some/path/document, and get a 404 Page not Found error, is it legal for you to try accessing /some/path/ by changing the URL in your browser's URL field?
        • Is it legal to type some domain name into your browser, even if it is not published anywhere? (E.g. you're looking for Foo Corporation's web site and try www.foo.com.)
        • If you're currently reading /2001/some-report, and you think that the year 2002 record would be more interesting, would you not try to type /2002/some-report into your browser?
        • If you're reading a structured document, e.g. an online book or a howto article, and you're currently reading /3-1, and you realize you'd like to skip chapter three but the "Next" link points to /3-2, is it legal for you to type /4 into your browser?
        • If you follow a link and get a 404, and the URL looks like the webmaster simply made a typo, is trying to correct the URL illegal without permission?
        • If any of the above is illegal, but someone did it anyway and then published the URL on his web site, without telling how he found it, is it illegal to click? To copy and paste?

        I am a webmaster myself, and I do agree that there are some requests that are sent with obviously malicious intentions (e.g. requests for cmd.exe etc.). But I am also a web user, and I don't want browsing the web to become a legal risk simply because I know how URLs work and make use of that knowledge. Some web site operators seem to believe that simply because they intended their visitors to behave in a certain way, and didn't provide any means for the users to behave differently, that anything but what they expect you to do should be illegal.

        There is a difference between an author telling you that it makes sense to read chapter four of his book before reading chapter five, and an author trying to put you in jail for reading chapter five first anyway.

        • The very design of the web lends itself to such flexibility and open-ness with regards to URLs. As such, the technology that drives the web also allows for these sort of situations to be accounted for. In fact, under current law (erm, the DMCA i believe, at least in part :-\ ) it is illegal to do anything on your list if and only if the administrator of the server took actions to prevent you from doing it.
          • If you have requested, by following a link, the resource /some/path/document, and get a 404 Page not Found error, is it legal for you to try accessing /some/path/ by changing the URL in your browser's URL field?
          By all means it should be. The URL is just a location. Any use of the URL for "security" purposes isn't really much of a solution, as there are better/less revealing methods for implemeting security checks, such as HTTP Auth. and Cookies. If you wish for a directory to not be listed, add an index.html to it with a "denied listing" message, or better yes, switch auto-indexing off on your server, which will result in a 404 error every time if this is attempted.
          • Is it legal to type some domain name into your browser, even if it is not published anywhere? (E.g. you're looking for Foo Corporation's web site and try www.foo.com.)
          Once again, it very well should be, unless that domain is restricted somehow. Any website that leaves access open and free to all is just that: open and free to all. It's like a big, open field anyone can walk into. If you want your site to be restricted, web browsers and servers provide the capability to "put a fence aroudn that field", i.e. authentication methods and sessions, again through HTTP Auth and Cookies.
          • If you're currently reading /2001/some-report, and you think that the year 2002 record would be more interesting, would you not try to type /2002/some-report into your browser?
          If the site owner woudl not liek to allow this (i.e. you must pay for each report, or maybe you must view them in some order so as not to get the wrong idea about something, who knows) once again sessions and auth methods are availible, and also check the HTTP_REFERER, make sure the page in question is being accessed only from an authorized source. This also prevents deep linking, and through the use of logging can even report "offenders" to the webmaster. Of course, if they can't access your site, there is no need to take legal action against them, a nice friendly e-mail explaining not to deep link will sufice for most.
          • If you're reading a structured document, e.g. an online book or a howto article, and you're currently reading /3-1, and you realize you'd like to skip chapter three but the "Next" link points to /3-2, is it legal for you to type /4 into your browser?
          As long as there is no reason for the site to be restricting you from chapter 4, again the responsibility of the webmaster. If you want to keep people out of a room, you should lock it. It doesn't matter if it's illegal for people to go there, at the very least someone will wander in on accident. We dont' depend on laws to tell people not to rob our houses, we lock the doors so people can't get in.
          • If you follow a link and get a 404, and the URL looks like the webmaster simply made a typo, is trying to correct the URL illegal without permission?
          I would certianly hope not...
          • If any of the above is illegal, but someone did it anyway and then published the URL on his web site, without telling how he found it, is it illegal to click? To copy and paste?
          It's illegal for him to tell you, and if the webmaster took any precautions to keep the URL save other than "obscurity" then your actions are illegal too. However, if the URL is simply open for the taking, there is nothing that can be done about your clicking or copy + pasting. This is where the web differs from real life. If someone trold you "Hey, go through this hidden door and take what you want!" it's illegal. By the very nature of the web, any door left open is an invitation to the public. Webmasters need to be less lazy and realize this is the way it is, and they need to take protective measures for sensitive data.

          Hope that all made sense, I am late for class so no time for revision! *runs*
      • I'd like to draw an analogy here.

        Some might say that a server is like a house, a proper house has a security system and locks. People are free to stand around on the sidewalk, and have a look at your lawn flamingo's, but they may not try to enter the house unless they have been given specific permission to do so, which would be implied with the giving of the security code and a key to the front door.

        I prefer to think of a server as more of candy at someone's desk. Some candy may be sitting in a bowl on the edge of the desk where all may freely partake of it. Other candy may be locked up in their drawer, or failing drawers, at least hidden from view. Unless you've been given specific permission to have candy locked up in someone's drawer, you may not have any. Someone wishing to protect their candy needs to do this. Simly placing a blank sheet of paper over the "protected" candy bowl is *not* sufficient to indicate that you don't want people to partake of that candy.

        What that breaks down to is that having an easily guessed URL as the only obscurity to protect sensitive information (eg, http://server/2001-report/ with the sensitive one at http://server/2002-report/) is only a blank sheet of paper, it does not indicate that the information in 2002-report is sensitive. If they wished to protect their information, they should use whatever security means are at their disposal, which you're right, may not include technical know-how, but it *does* include the common sense know-how of at least making the URL http://server/randomstring/.

        In my mind, the real issue here is that the "attacked" company failed to sufficiently indicate that the information was sensitive. It's very easy to imagine that Reuters was browsing for the report, couldn't find the link, so did what I myself have done countless times, assume that the information is intended to be public, but that some error has prevented it from being displayed that way (a sheet of paper fell off the shelf on top of the candy bowl), and so simply changed a 2001 to a 2002, and removed the sheet of paper.
      • >Fact is, all security is obscurity. Security rests on the notion of a shared secret. Some key that both you and the other guy know.

        Wrong. The security guard at the bank who's holding a rather impressive weapon isn't the slightest bit obscure. The security he provides is based on not being obscure.

    • Interestingly, that is how Dutch law works. If a document is not secured, it is considered to be public. Security through obscurity does not count; to be held accountable for cracking, you have to steal a password or actively circumvent security measures or use an exploit to gain access, meaning that you are aware that you are breaking into a secured system you are not meant to enter.
  • by g4dget (579145) on Tuesday October 29, 2002 @04:37AM (#4554307)
    Many people truncate URLs to avoid dealing with broken site navigation systems. Mozilla and Galeon even have an "up" button. Other pages may become unlinked but may still be linked from a log or search engine. Some files, like /robots.txt, are almost never linked to, yet everybody knows they are there. And more than once, I have mistyped a host name along with a URL and gotten a web page that looked not entirely public (logs, etc.).

    In some areas of law, it's unavoidable drawing fuzzy boundaries and considering intent. However, in this case, anybody who wants to protect their information on the web easily can, using standard web access control schemes; they don't need to rely on using obscure URLs. Let's not burden the courts with this.

    This is part of a more general and disturbing trend, where lazy system admins don't spend the time set up their systems correctly, or management hires incompetent and cheap staff, and then try to use the court system and police (i.e., taxpayer money) to make up for their own shortcomings.

  • Confidence (Score:5, Funny)

    by Znork (31774) on Tuesday October 29, 2002 @04:37AM (#4554308)
    "The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB."

    Um, yeah. If you cant tell the difference between 'storing confidential data in an access controlled place on your internal network' and 'storing confidential data on an open-for-all external site' it sure will damage my confidence in Intentia as a company. Incompetent is a fairly fitting description.
  • The one person that put the document on a public webserver is the one who's to blame. No matter how they toss and turn it it was accessible without any access restrictions from the web. Nothing was hacked and no password guessed.

    I relly hope that the court handling this case will understand how a webserver functions. In that case its all clear whos to blame.
  • Mantra (Score:5, Insightful)

    by RAMMS+EIN (578166) on Tuesday October 29, 2002 @04:39AM (#4554314) Homepage Journal
    Repeat after me:
    If you don't want people to read something, don't put it on the Internet.

  • by Stubtify (610318) on Tuesday October 29, 2002 @04:39AM (#4554316)
    While this seems absurd on the surface, I could see a judgement going either way, for mainly two reasons.

    First, Reuters' position would probably be that the data was on a public network which was in plain view as long as the url is typed in. I myself do this all the time, why go to www.microsoft.com, click once on support, then click on download when I know the url I want is www.microsoft.com/download. It saves time and trouble. However their "accidental" stumbling upon of this data, which is far more important than anything I'd ever likely find on accident would most likely not fall into the same category. IANAL, but at the same time I would argue that anything they don't want leaked shouldn't be put online anyway, and espically without any security.

    However, I can see Intentia International's point of view. What's to stop someone from simply hitting their webserver with every alpha-numeric combination possible. They'll eventually come across the correct one for some piece of information which had gone previously undiscovered because it was to be placed up at a time which was decided by Intentia or any other company for that matter. I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password. And, scarily enough if they showed a direct relationship between all pages not yet linked and their corresponding URL perhalps a big fat DMCA case might come about if Reuters or someone figured that "~a2eslcf" meant "third quarter" in some sorry 2 bit encryption.

    • by pubjames (468013) on Tuesday October 29, 2002 @05:47AM (#4554506)
      I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password....

      Dumbass:But your honor, that man has stolen a hundred dollars from me! I think I made a reasonable attempt to hide it by keeping it in an old shoe in a hedge at the local park. Who would think to look there? ...what do you mean I'm a dumbass?

  • by phr2 (545169) on Tuesday October 29, 2002 @04:40AM (#4554323)
    Deep linking has the same issue. URL's are like phone numbers.

    The company homepage, www.corp.com, is like the main switchboard number, say 555-1000.

    URL's reachable through the home page (www.corp.com/foo/bar) are like internal extensions you can find through the voice menu system (555-1357).

    The link with the earnings report is like an extension (555-2468) not on the voice menu, that came off somebody's business card or answering machine or some unknown channel.

    That's it. Reuters is being sued over something very much like calling an unlisted direct phone number inside some company. How they got the phone number is, well, irrelevant. They're a news organization, they have reporters, whose job is digging up info like phone numbers.

    Deep linking works the same way for anyone else too, of course. Like duh, if you don't want something to be reachable without going through the switchboard, don't give it a direct number exposed to the outside world.

  • by httpamphibio.us (579491) on Tuesday October 29, 2002 @04:41AM (#4554324)
    It depends on how you define hacking... if they had no inside information about the URL, then yeah, guessing the URL would be a type of hacking but, I don't believe, one that could be punishable by law. For example, if I put an object I own in a public place... say, some place where the object is hidden but could be found if somebody was looking for it. Then a couple days later it's gone... is that theft? Sure, but, again, I don't think it can be punished. One of those "you should have known better," examples.
  • by SexyKellyOsbourne (606860) on Tuesday October 29, 2002 @04:42AM (#4554330) Journal
    Stockholm, Sweden -Intentia International (publ.) announces the results of its internal investigation launched due to circumstances around the fact that Reuters published Intentia's fourth quarter results for 2002 prior to the scheduled publication on October 24th. "The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.

    The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters using an exploit in the web server. The entry took place at 11:51 pm on October 24th 2002, prior to the publication of the interim report for the fourth quarter of 2002. At approximately 12:57 pm, Reuters published the first news flash giving information on Intentia's third quarter result, without prior confirmation from the Company. Intentia issued its earnings report ahead of schedule at 1:22 pm that same day. "The incident has severely damaged confidence in us as individuals and in Intentia as a company, and has cost millions of dollars worth of damages" says Björn Flänsost, CEO of Intentia International AB.

    "We question the methods used by Reuters, and our judgement is that we have been the target of illegal actions. As a consequence we will file criminal charges regarding the incident, and will seek the maximum penalties for all those involved" says Björn Flänsost.

    On Thursday, Intentia contacted the Stockholm Stock Exchange regarding an internal investigation of the incident. "We will disclose to the Stockholm Stock Exchange all technical details on how the intrusion was made, which will allow them to share this information with other listed companies, so that actions preventing similar events in the future can be made," concludes Björn Flänsost.
  • by MalleusEBHC (597600) on Tuesday October 29, 2002 @04:43AM (#4554333)
    "The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.

    While most everyone here will agree that Reuters at worst could have their actions describe as exploiting Intentia's utter stupidity, quotes like this show how little some people know about computers. This guy obviously thinks that just because they didn't provide an explicit hyperlink that the data on their server is "confidential." What I fear is that some non-technology savvy judge will actually follow this same train of thought and rule against Reuters. Is this ridiculous? Yes. Is it unfortunately all too real of a possibility? Yes as well.

    PS - I checked Netcraft and they are running Windows 2000 [netcraft.com]. Is it any surprise that their security guys would believe that data freely available on their server is secure if they also think a server on Win2k is secure in the first place?
  • by nordicfrost (118437) on Tuesday October 29, 2002 @04:44AM (#4554337)
    I always thought the golden rule was "If you don't want anyone on the 'net to to see it, don't publish it!". That's what we use on our site, if a new music video is to be published monday at noon, it is uploaded 11:59 and linked 12:00.


    AFAIK: There hasn't been a case like this in Scandinavia, so it could be interesting to see the outcome. Having read quite a lot of Norwegian and Swedish judgements on the subject, I think Intentia don't have a case as long as Reuters did not break any protection to get the documents.

  • Look! A snake! (Score:5, Insightful)

    by adolf (21054) <flodadolf@gmail.com> on Tuesday October 29, 2002 @04:45AM (#4554342) Journal
    Funny stuff, this.

    I'm going outside, right now, with copies of some of my own financial statements.

    I'm going to throw them onto the Main Street sidewalk, and stand just near enough to the pile that I can serve hastily-drawn lawsuit papers to anyone who dares to look.

    The documents are undeniably my property, after all. Nobody has the right to see them unless I erect a big fucking sign pointing them out, even if they are scattered about a public walkway.

    [Moral for the sarcasm-impaired: If you don't want your information to be public knowledge, now or ever, don't let it be publicly available. At all.]
  • by Thalia (42305) on Tuesday October 29, 2002 @04:48AM (#4554351)
    Here is a decent writeup [theregister.co.uk] from The Register. The accusation is that "results could only be accessed via a 40 character ID code." Now whether this is an extended address, or a password is unclear. It also notes that there are a couple of other firms that have also accused Reuters of hacking into their systems to get early access to reports.

    Actually, this does raise an interesting question. If a page is put on the web that cannot be spidered, and cannot be reached from any publicly available page, can we assume that anyone who accesses that page has some sort of unauthorized information? I have never heard of hackers systematically trying IP addresses for content. And it is in fact likely that Reuters got the info from an employee... in violation of the employment agreement.

    This should be a fascinating case, and not nearly as easy as the writeup makes it seem.

    Thalia

    • by Cpt_Corelli (307594) on Tuesday October 29, 2002 @05:15AM (#4554428)


      Please note that they are using Lotus Domino [lotus.com] as their web server. This means that there are no physical directories that you can chmod or "look into".

      The URL contains the Domino internal document ID (similar to a GUID) and I still can not understand how Reuters "guessed" that. Sounds to me like this is an internal leak...
      • by AlecC (512609) <aleccawley@gmail.com> on Tuesday October 29, 2002 @08:58AM (#4555201)
        I went to their site, and I looked for the (now visible) results. The URL looked like this:

        http://www.intentia.com/w2000.nsf/(files)/Intent ia _02_Q3_us.pdf/$FILE/Intentia_02_Q3_us.pdf

        The previous quarters reports are also available under ...02_Q2_us.pdf and so on. This URL is a lot more than 40 characters, but it hardly takes a rocket scintist to guess where Q3 is going to be when you know where Q1 and Q2 are. You really cannot call such guesswork "hacking".

      • by MightyTribble (126109) on Tuesday October 29, 2002 @09:33AM (#4555402)
        A few things about domino, from a sometimes-Domino admin:

        First, you can have *really awful* Domino URLs. this was not one of them - they took the time in their DB design to make it a nice, easy on the eyes address.

        Second, and more importantly, Domino makes Access Control trivial. It would have been the work of moments to make that db private. They didn't do that.

        Finally, Domino regularly indexes all public databases on a site. The search engine can also parse PDF files. This makes all public documents findable unless you take measures to prevent indexing. Given how these monkeys set up the rest of their site, I wouldn't be surprised if this PDF was findable via the websites' regular search feature.

        It looks like this company has *no clue* what they were doing, and is trying to blame someone else for it.
  • unlisted numbers (Score:3, Insightful)

    by cosyne (324176) on Tuesday October 29, 2002 @04:50AM (#4554360) Homepage
    In other news, dialing unlisted phone numbers without the express written consent of the number's owner is now a criminal offense.

    Krikey. I just don't know where they find people this stupid. Same goes for this deep linking crap. Maybe people should have to pass some sort of test before they get to use the Internet. Otherwise the have to use AOL until they at least understand that anything you post to the web could be publically accessible.
  • Here in France (Score:4, Informative)

    by OrangeSpyderMan (589635) on Tuesday October 29, 2002 @04:53AM (#4554370)
    For the record, there was a case recently here in France where a judge ruled in favour of a person who hacked the website of Tati, a retailer. In fact the only tools the hacker used were a regular browser, and the information was insufficiently protected. French speakers can read more here [kitetoa.com]. Google should be able to help the others :-). While this case isn't the same, in France this has made jurisprudence that information that isn't protected at all from basic navigation tools, can't be considered to be "stolen", even if the original intent was not to publish it.
  • by bovril (260284) <centreneptuneNO@SPAMyahoo.com.au> on Tuesday October 29, 2002 @04:55AM (#4554376) Homepage
    A few years back someone found they could get other people's details from the Australian Tax Office's site by manipulating the URL (that's the impression I got anyway). An ultra-quick googling turned this [abc.net.au] up. What happened to this guy? I can't remember. All I can remember is that he sounded really embarrassed when he was being interviewed and was referred to as a "hacker".
  • Well.... (Score:3, Funny)

    by mshiltonj (220311) <<mshiltonj> <at> <gmail.com>> on Tuesday October 29, 2002 @05:02AM (#4554395) Homepage Journal
    A small Swedish information technology company Monday filed criminal charges against news service Reuters PLC for obtaining an earnings report from a Web page it considered private.

    What a bunch of dumbasses.

    "The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.

    Translation: Now the whole world know we are a bunch of dumbasses. We have to blame someone.

  • What the law says: (Score:5, Interesting)

    by Albanach (527650) on Tuesday October 29, 2002 @05:04AM (#4554397) Homepage
    There's some discussionon the law - of course mainly American law which has little to do with whether it was legal or not where the crime actually happened.

    If they were to prosecute in the UK - I note Reuters replied to the allegations from their London HQ - here's what the law says:

    Computer Misuse Act (1990)
    Unauthorised access to computer material

    1.--(1) A person is guilty of an offence if--

    (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
    (b) the access he intends to secure is unauthorised; and
    (c) he knows at the time when he causes the computer to perform the function that that is the case.

    (2) The intent a person has to have to commit an offence under this section need not be directed at--

    (a) any particular program or data;
    (b) a program or data of any particular kind; or
    (c) a program or data held in any particular computer.

    (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

    So, it's quite straightforward really - if they can prove Reuters knew they weren't supposed to be looking at that material, then if the access was from the UK, a crime was committed.

    If Reuters can argue they didn't know the material was private, there is no case to answer.

    Going back to the points some others have made about the information being publicaly accessible with no .htaccess protection, clearly this doesn't matter. If, for example, you were to make a clcik through that had to be viewed before you could see any of the content that stated the information was confidential then someone not supposed to be viewing it would be committing a crime to do so.

  • Reality? (Score:3, Informative)

    by AlCoHoLiC (67938) on Tuesday October 29, 2002 @05:04AM (#4554398)
    IMHO this PR stunt is an attempt to take the eye off their not so good results. According to the report Intentia's revenues declined by 14% during the period Jan-Sep 2002 and their operating margin is very close to ZERO.

    IANAL, but I think they're stepping on thin ice because report was already uploaded to public accessible server and thus it should be considered published. Even if there was no hyperlink pointing to it Intentia didn't take any protective measure to restrict the access to the report. Reuters didn't have to circumvent any security measures so they can be hardly accused of hacking. And since the report was on public server they can't be accused of unathorized access. Another possible scenario is that Reuters've got the information about the document location from an insider, but the report was already accessible by public so i can't see any wrongdoing.
  • by ukryule (186826) <slashdot.yule@org> on Tuesday October 29, 2002 @05:10AM (#4554411) Homepage
    Our mission is to pursue the perfect partnership, providing security in our customers' transformation to collaborative business models.

    Which roughly translates to: 'we want to use the internet securely'.
    They then put some confidential information on their public website, and sue the first people to read it ... Doh!
  • by rovingeyes (575063) on Tuesday October 29, 2002 @05:25AM (#4554450)
    From their website :

    Our vision is to become the leading global collaboration solutions vendor by supplying our customers with tomorrow's solutions today.

    Well as I see it Reuters only kept in line with their philosophy. So why are they pissed?

  • by Mnemia (218659) on Tuesday October 29, 2002 @05:33AM (#4554471)

    All these companies seem to think that the Web is like a magazine: their neat little layout is all anyone should be allowed to use. But they forget that the Web was intentially designed to facilitate deep linking and URL-typing for the purpose of transparent information exchange. They don't get to decide the layout and presentation of the data once they publish it so that it is accessible through an URL.

    There is nothing about implicit permission to view here. I assert that they are EXPLICITLY granting permission to any and all to view the document when they publish it via a non-password protected URL.

    That is the very foundation of the Web...without it we have interactive television.

  • by ctar (211926) <christophertar.gmail@com> on Tuesday October 29, 2002 @06:01AM (#4554547) Homepage
    Isn't it possible that Reuters had a bookmarked link to this URL? I know they say that it was unpublished, but maybe they had done redirection in the past, and Reuters bookmarked the redirected URL?

    While it may not be illegal to actually view and read this information, its potentially creating a conflict of interest for investors. If this was an earnings report published before its intended publication date, people will trade off that information. This could create a situation similar to insider trading.

    And regardless of this, if it is proved that Reuters did this intentionally, they are totally at fault. They know this information affects the markets, and that the information gives their clients a (potentially unfair) competitive advantage.

    If Intentia had an obvious Earnings Report or financial press release procedure, Reuters should know they will potentially be held responsible for releasing false information.

    What if this wasn't the final Earnings Report? Than Reuters would potentially affect the trading of Intentia stock based on false information...
  • by bobdotorg (598873) on Tuesday October 29, 2002 @06:30AM (#4554595)
    "The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.

    Yeah - no shit Sven, IT blunders with sensitive information tend to do that.

    But hey, just to make sure that everyone's confidence in your company is shattered, why don't you do the American thing and file a 'It can't possibly be my fault' lawsuit.
  • by Fex303 (557896) on Tuesday October 29, 2002 @06:38AM (#4554611)
    ...a script kiddie managed to hack into Hotmail's servers using a widely distributed hacking tool known as "Internet Explorer". The hacker typed the "URL" into the "Address Bar" and gained access to the site.

    From here, the hacker sent emails to a number of associates which read: "| 4m teh 1337 |-|aX0R!!!!!1 j00 4LL ArE Cr4P!!!"

    "Frankly, we're shocked," said one Hotmail employee. "Who would have thought that URL's would give access to sites on the interweb?" he continued before returning to his task of spamming Hotmail's users.

    The FBI are investigating the hacker, rumoured to be in junior high, as well as the distributor of the hacking software, a small company known as MicroSoft, already known for flouting the law. Updates as they come to hand.
  • Public viewing (Score:3, Insightful)

    by plumby (179557) on Tuesday October 29, 2002 @06:44AM (#4554632)
    The closest 'real-world' situation that I can imagine is someone sat in a public place reading a document with "Top Secret" written on it. Would this document be considered "public property" as the person was reading it in a place where anyone could easily read it over there shoulder?
  • by bobdotorg (598873) on Tuesday October 29, 2002 @06:52AM (#4554653)
  • by MajroMax (112652) on Tuesday October 29, 2002 @07:40AM (#4554826)
    I took a look at Inertia's website [inertia.com], and I think I found the link to the file that Reuters got early --

    http://www.intentia.com/w2000.nsf/files/kjafd_0210 _us.pdf/$FILE/kjafd_0210_us.pdf

    Now will someone who reads the relevant language tell me what, if anything 'kjafd' means? Links to other reports were all in a very similar vein, although the 'kjafd' part changes in a nonobvious pattern.

  • by OverCode@work (196386) <{moc.liamg} {ta} {edocrevo}> on Tuesday October 29, 2002 @08:47AM (#4555139) Homepage
    Publishing an earnings report before the company announces it is still rude, even if it's not technically illegal. I hope this case is thrown out, so as not to set a precedent, but I think it was a lousy thing of Reuters to do. It's one thing to guess URL's and obtain advance information for your own personal use; it's quite another to publish it to the rest of the world.

    -John
    • ... providing you knew that it was private. There was no "confidential" mark on it. It appeared in the place where the published results were expected to appear. How were Reuters to guess that it wan't released for publication yet?
  • by MrByte420 (554317) on Tuesday October 29, 2002 @10:07AM (#4555733) Journal
    By defintion putting a file in a "world readable" directory and setting the permissions to allow world access kinda implies that you don't care who reads this. Otherwise - why in the world would you allow this kind of access? If you place it in a world readable directory, you have no businness complaing the world can read it.
  • by no soup for you (607826) <jesse.wolgamott@gmail . c om> on Tuesday October 29, 2002 @10:10AM (#4555753) Homepage

    It's probably too late for this to do any google, but here's google's take on Secret Websites and URL guessing (from their webmaster's FAQ [google.com])

    6. Googlebot is downloading information from our "secret" web server.

    It is almost impossible to keep a web server secret by not publishing any links to it. As soon as someone follows a link from your "secret" server to another web server, it is likely that your "secret" URL is in the referer tag, and it can be stored and possibly published by the other web server in its referer log. So, if there is a link to your "secret" web server or page on the web anywhere, it is likely that Googlebot and other "web crawlers" will find it.

    IMHO, If you put something out there, and don't restrict anyonymous access, the information is freely accessible. Access is implicitly given - you can restrict access, not grant it.
  • by anser (224618) on Tuesday October 29, 2002 @10:14AM (#4555787) Homepage
    You can't go by what Intentia's website shows now, I suspect they changed their scheme (also known as 'locking the barn door after the barn burns down').

    If you do a Google search for intentia results [google.com], at least one early entry points to the Intentia 'press room' containing an earlier quarterly results announcement. The announcement page itself [intentia.com] does have a 24 bit hex ID number in the URL (BA45EE etc) that would be hard to guess for a new quarter. But on the announcement page is this link:

    Now the URL (which no longer works, natch) of the PDF file being linked to:
    is extremely easy to extrapolate to subsequent quarters. I have no doubt that's what Reuters did , for this company and many others with similarly easy naming schemes and early uploading schedules. And I have no doubt that other journalists pull the same trick. In this case, a company with results they'd rather nobody noticed has jumped at the opportunity to change the subject.
  • by sheetsda (230887) <doug.sheetsNO@SPAMgmail.com> on Tuesday October 29, 2002 @11:43AM (#4556482)
    My college protects grades a similar way before they're released, last semester I started publishing a form [muohio.edu] in my web space (hosted on their server :)) that allows you to get your grades (presumably) as soon as they're scanned in, several days before their intended release. I don't know if anyone on staff noticed and/or cared; it may be that the official release time is just there to prevent complaining about "she got her grades before I could". All that was required to make the form was stripping down their grade submit page and changing one of the options in a select.
  • by istartedi (132515) on Tuesday October 29, 2002 @01:37PM (#4557508) Journal

    ...don't play on the interstate.

    If you don't want people to see your internal company data, don't put it on the Internet.

    Got it boys and girls? Yes? OK, now we can have milk, graham crackers, and naptime.

  • by djtack (545324) on Tuesday October 29, 2002 @02:14PM (#4557808)
    From The Register article:

    However Intentia isn't alone in its accusations. Three other Scandinavian companies Nordea, the region's biggest bank; Fortum, the Finnish energy group; and Sweco, a small Swedish consultancy also claim that their results were published by Reuters ahead of their official release, the FT reports.

    The obvious conclusion from this... is that Reuters is in posession of a time machine.
  • by Blue23 (197186) on Tuesday October 29, 2002 @03:00PM (#4558213) Homepage
    Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report that they sent to Reuters with an accompany post-it note that said "please publish me". The catch? The report couldn't be accessed unless you understood an obscure and arcane code called "the English language". The precedent this case sets will be interesting. If you write a report in a language that has no native speakers that actually use it correctly, can it be considered public?
  • by Jump (135604) on Tuesday October 29, 2002 @03:13PM (#4558353)
    if they named urls like:

    www.my.com/report2000.pdf
    www.my.com/report2001.pdf

    and the world is waiting for 2002 report, would it really be a surprise when millions try to download www.my.com/report2002.pdf one day before the actual release? Come on, _everybody_ would do that. Perhaps one should sue Intentia for violating some stock exchange rules by not protecting the data.

  • by Dave21212 (256924) <dav@spamcop.net> on Tuesday October 29, 2002 @03:19PM (#4558454) Homepage Journal

    Technically speaking, I'm very familiar with the server platform they use (Domino) and it's extremely secure (NSA, CIA, etc use it). For them to characterize this as a 'break in' is stretching it a bit. Domino provides security from server level down to individual user roles and fields. It's very simple to secure a file or page. Additionally, the standard procedure is to not replicate data you don't want made public to an external box, just in case you forget to secure a document.

    For those of you interested in the technical/legal issues of 'publishing' the link, let's not forget that Domino has a few well-known powerful facilities to search and index content on a site... (ie: ?SearchView)

    Domino Developers Site [notes.net]
    Search URL Syntax [lotus.com]
    Documentation on R5 Search [lotus.com]
    Documentation Library [lotus.com]

"Pascal is Pascal is Pascal is dog meat." -- M. Devine and P. Larson, Computer Science 340

Working...