Reuters Accused Of Hacking For Typing In URL 569
Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."
Doesn't seem very serious of Intentia (Score:4, Informative)
AFAIK: There hasn't been a case like this in Scandinavia, so it could be interesting to see the outcome. Having read quite a lot of Norwegian and Swedish judgements on the subject, I think Intentia don't have a case as long as Reuters did not break any protection to get the documents.
A decent writeup, and an interesting question... (Score:5, Informative)
Actually, this does raise an interesting question. If a page is put on the web that cannot be spidered, and cannot be reached from any publicly available page, can we assume that anyone who accesses that page has some sort of unauthorized information? I have never heard of hackers systematically trying IP addresses for content. And it is in fact likely that Reuters got the info from an employee... in violation of the employment agreement.
This should be a fascinating case, and not nearly as easy as the writeup makes it seem.
Thalia
Here in France (Score:4, Informative)
Re:Related: what about referer logs (Score:2, Informative)
Reality? (Score:3, Informative)
IANAL, but I think they're stepping on thin ice because report was already uploaded to public accessible server and thus it should be considered published. Even if there was no hyperlink pointing to it Intentia didn't take any protective measure to restrict the access to the report. Reuters didn't have to circumvent any security measures so they can be hardly accused of hacking. And since the report was on public server they can't be accused of unathorized access. Another possible scenario is that Reuters've got the information about the document location from an insider, but the report was already accessible by public so i can't see any wrongdoing.
It is Lotus Domino... (Score:5, Informative)
Please note that they are using Lotus Domino [lotus.com] as their web server. This means that there are no physical directories that you can chmod or "look into".
The URL contains the Domino internal document ID (similar to a GUID) and I still can not understand how Reuters "guessed" that. Sounds to me like this is an internal leak...
Re:Related: what about referer logs (Score:2, Informative)
Are they going to sue me for this ?
Re:Ridiculous! (Score:2, Informative)
Re:There are technical solutions (Score:1, Informative)
It is, in a general way. What the expression 'security through obscurity' describes, though, is not quite the fact that you make something secure by keeping secrets, but more a point of what you keep secret and how.
Applying the security through obscurity to my appartment door would be by, for instance, making it hard to find the door handle instead of equipping the door with a lock. While it is true that in both cases the security lies in keeping something secret (the form of the key or the placement of the door handle) the solution that is based on a specific security technology is, quite obviously, the safest, by far.
Before dismissing a mantra, make sure you understand what it really says.
/Eddie
And the magic URL is... (Score:3, Informative)
http://www.intentia.com/w2000.nsf/files/kjafd_0210 _us.pdf/$FILE/kjafd_0210_us.pdf
Now will someone who reads the relevant language tell me what, if anything 'kjafd' means? Links to other reports were all in a very similar vein, although the 'kjafd' part changes in a nonobvious pattern.
Re:There are technical solutions (Score:3, Informative)
Re:Related: what about referer logs (Score:5, Informative)
Wrong. A Domino server out of the box includes full HTTP services. This is part of the generic install. No additional HTTP software is needed, although you *can* configure Domino to use an alternative HTTP stack if you prefer.
Why isn't there a moderation setting for "incorrect?"
Re:It is Lotus Domino... (Score:5, Informative)
First, you can have *really awful* Domino URLs. this was not one of them - they took the time in their DB design to make it a nice, easy on the eyes address.
Second, and more importantly, Domino makes Access Control trivial. It would have been the work of moments to make that db private. They didn't do that.
Finally, Domino regularly indexes all public databases on a site. The search engine can also parse PDF files. This makes all public documents findable unless you take measures to prevent indexing. Given how these monkeys set up the rest of their site, I wouldn't be surprised if this PDF was findable via the websites' regular search feature.
It looks like this company has *no clue* what they were doing, and is trying to blame someone else for it.
Re:Stating the obvious (Score:3, Informative)
Was recovering from a nose dive until the 21st, and since then has been plummeting again. See Intentia's investor relations site [intentia.com].
Also see Cowan Research LC [eventstudy.com], which makes a software package called Eventus to do event studies [eventstudy.com]
Google Take on Secret Servers (Score:5, Informative)
It's probably too late for this to do any google, but here's google's take on Secret Websites and URL guessing (from their webmaster's FAQ [google.com])
IMHO, If you put something out there, and don't restrict anyonymous access, the information is freely accessible. Access is implicitly given - you can restrict access, not grant it.Re:Ridiculous! (Score:3, Informative)
Re:Related: what about referer logs (Score:5, Informative)
No, Googlebot needs a link.
No, it doesn't.
Google plays tricks with servers. With apache, for instance it tries the venerable www.site.com/?M=A and ?S=D, ?N=A etc. tricks. If Apache isn't locked down, it'll happily bypass index.html and give you directory listings, and then spider any subdirectories using the same method. I had several of my unpublished directories found by google this way.
Re:It is Lotus Domino... (Score:1, Informative)
Someone is covering tracks...
Re:Stating the obvious (Score:1, Informative)
Re:Related: what about referer logs (Score:5, Informative)
Re:There are technical solutions (Score:3, Informative)
Wrong. The security guard at the bank who's holding a rather impressive weapon isn't the slightest bit obscure. The security he provides is based on not being obscure.
Very Familiar with their servers... (Score:3, Informative)
Technically speaking, I'm very familiar with the server platform they use (Domino) and it's extremely secure (NSA, CIA, etc use it). For them to characterize this as a 'break in' is stretching it a bit. Domino provides security from server level down to individual user roles and fields. It's very simple to secure a file or page. Additionally, the standard procedure is to not replicate data you don't want made public to an external box, just in case you forget to secure a document.
For those of you interested in the technical/legal issues of 'publishing' the link, let's not forget that Domino has a few well-known powerful facilities to search and index content on a site... (ie: ?SearchView)
Domino Developers Site [notes.net]
Search URL Syntax [lotus.com]
Documentation on R5 Search [lotus.com]
Documentation Library [lotus.com]