Reuters Accused Of Hacking For Typing In URL

Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."

Doesn't seem very serious of Intentia

[nordicfrost]

I always thought the golden rule was "If you don't want anyone on the 'net to to see it, don't publish it!". That's what we use on our site, if a new music video is to be published monday at noon, it is uploaded 11:59 and linked 12:00.

AFAIK: There hasn't been a case like this in Scandinavia, so it could be interesting to see the outcome. Having read quite a lot of Norwegian and Swedish judgements on the subject, I think Intentia don't have a case as long as Reuters did not break any protection to get the documents.

A decent writeup, and an interesting question...

[Thalia]

Here is a decent writeup [theregister.co.uk] from The Register. The accusation is that "results could only be accessed via a 40 character ID code." Now whether this is an extended address, or a password is unclear. It also notes that there are a couple of other firms that have also accused Reuters of hacking into their systems to get early access to reports.

Actually, this does raise an interesting question. If a page is put on the web that cannot be spidered, and cannot be reached from any publicly available page, can we assume that anyone who accesses that page has some sort of unauthorized information? I have never heard of hackers systematically trying IP addresses for content. And it is in fact likely that Reuters got the info from an employee... in violation of the employment agreement.

This should be a fascinating case, and not nearly as easy as the writeup makes it seem.

Thalia

Here in France

[OrangeSpyderMan]

For the record, there was a case recently here in France where a judge ruled in favour of a person who hacked the website of Tati, a retailer. In fact the only tools the hacker used were a regular browser, and the information was insufficiently protected. French speakers can read more here [kitetoa.com]. Google should be able to help the others :-). While this case isn't the same, in France this has made jurisprudence that information that isn't protected at all from basic navigation tools, can't be considered to be "stolen", even if the original intent was not to publish it.

Re:Related: what about referer logs

[TuringTest]

Actually the correct link is this one [amazon.com].

Reality?

[AlCoHoLiC]

IMHO this PR stunt is an attempt to take the eye off their not so good results. According to the report Intentia's revenues declined by 14% during the period Jan-Sep 2002 and their operating margin is very close to ZERO.

IANAL, but I think they're stepping on thin ice because report was already uploaded to public accessible server and thus it should be considered published. Even if there was no hyperlink pointing to it Intentia didn't take any protective measure to restrict the access to the report. Reuters didn't have to circumvent any security measures so they can be hardly accused of hacking. And since the report was on public server they can't be accused of unathorized access. Another possible scenario is that Reuters've got the information about the document location from an insider, but the report was already accessible by public so i can't see any wrongdoing.

It is Lotus Domino...

[Cpt_Corelli]

Please note that they are using Lotus Domino [lotus.com] as their web server. This means that there are no physical directories that you can chmod or "look into".

The URL contains the Domino internal document ID (similar to a GUID) and I still can not understand how Reuters "guessed" that. Sounds to me like this is an internal leak...

Re:Related: what about referer logs

[ruisantos]

If you had a look [netcraft.com] you would have seen that they are running Lotus-Domino/0 on Windows 2000. The book is there for useless.

Are they going to sue me for this ?

Re:Ridiculous!

[AHorseWithNoName]

In Danish, sorry: Link [computerworld.dk]

Re:There are technical solutions

[avajadi]

"Fact is, all security is obscurity."

It is, in a general way. What the expression 'security through obscurity' describes, though, is not quite the fact that you make something secure by keeping secrets, but more a point of what you keep secret and how.

Applying the security through obscurity to my appartment door would be by, for instance, making it hard to find the door handle instead of equipping the door with a lock. While it is true that in both cases the security lies in keeping something secret (the form of the key or the placement of the door handle) the solution that is based on a specific security technology is, quite obviously, the safest, by far.

Before dismissing a mantra, make sure you understand what it really says.

/Eddie

And the magic URL is...

[MajroMax]

I took a look at Inertia's website [inertia.com], and I think I found the link to the file that Reuters got early --

http://www.intentia.com/w2000.nsf/files/kjafd_0210 _us.pdf/$FILE/kjafd_0210_us.pdf

Now will someone who reads the relevant language tell me what, if anything 'kjafd' means? Links to other reports were all in a very similar vein, although the 'kjafd' part changes in a nonobvious pattern.

Re:There are technical solutions

[JaredOfEuropa]

Interestingly, that is how Dutch law works. If a document is not secured, it is considered to be public. Security through obscurity does not count; to be held accountable for cracking, you have to steal a password or actively circumvent security measures or use an exploit to gain access, meaning that you are aware that you are breaking into a secured system you are not meant to enter.

Re:Related: what about referer logs

[NotesSauceBoss]

Domino on its own doesn't have a web server you need to use and can use Apache, IIS, or WebSphere with domino.

Wrong. A Domino server out of the box includes full HTTP services. This is part of the generic install. No additional HTTP software is needed, although you *can* configure Domino to use an alternative HTTP stack if you prefer.

Why isn't there a moderation setting for "incorrect?"

Re:It is Lotus Domino...

[MightyTribble]

A few things about domino, from a sometimes-Domino admin:

First, you can have *really awful* Domino URLs. this was not one of them - they took the time in their DB design to make it a nice, easy on the eyes address.

Second, and more importantly, Domino makes Access Control trivial. It would have been the work of moments to make that db private. They didn't do that.

Finally, Domino regularly indexes all public databases on a site. The search engine can also parse PDF files. This makes all public documents findable unless you take measures to prevent indexing. Given how these monkeys set up the rest of their site, I wouldn't be surprised if this PDF was findable via the websites' regular search feature.

It looks like this company has *no clue* what they were doing, and is trying to blame someone else for it.

Re:Stating the obvious

[Ethidium]

>I wonder how their stock price is taking it?

Was recovering from a nose dive until the 21st, and since then has been plummeting again. See Intentia's investor relations site [intentia.com].

Also see Cowan Research LC [eventstudy.com], which makes a software package called Eventus to do event studies [eventstudy.com]

Google Take on Secret Servers

[no soup for you]

It's probably too late for this to do any google, but here's google's take on Secret Websites and URL guessing (from their webmaster's FAQ [google.com])

6. Googlebot is downloading information from our "secret" web server.

It is almost impossible to keep a web server secret by not publishing any links to it. As soon as someone follows a link from your "secret" server to another web server, it is likely that your "secret" URL is in the referer tag, and it can be stored and possibly published by the other web server in its referer log. So, if there is a link to your "secret" web server or page on the web anywhere, it is likely that Googlebot and other "web crawlers" will find it.

IMHO, If you put something out there, and don't restrict anyonymous access, the information is freely accessible. Access is implicitly given - you can restrict access, not grant it.

Re:Ridiculous!

[kasperd]

The "hacker's" own version of the story is here [cubus.adsl.dk]. The report written to "datatilsynet" by a security expert is here [snakeoil.dk]. And the response is here [snakeoil.dk]. The case has been discussed on usenet in the two groups dk.edb.sikkerhed and dk.videnskab.jura, and on the discussion forum related to a weekly computer newspaper. But all of this is in Danish, I don't think much has been written in other languages about this case.

Re:Related: what about referer logs

[tzanger]

No, Googlebot needs a link.

No, it doesn't.

Google plays tricks with servers. With apache, for instance it tries the venerable www.site.com/?M=A and ?S=D, ?N=A etc. tricks. If Apache isn't locked down, it'll happily bypass index.html and give you directory listings, and then spider any subdirectories using the same method. I had several of my unpublished directories found by google this way.

Re:It is Lotus Domino...

[Anonymous Coward]

You might want to testify on their behalf if you have that information in your browser cache, as they have now added garbage characters to each filename Intentia_02_Q3 is now dasdf_02_Q3... the directory has all the files named with wierd formats and such now.

Someone is covering tracks...

Re:Stating the obvious

[Anonymous Coward]

Reuters published Intentia's report on Oct. 24 after it became available through Intentia's Web site. The report was available to anyone who typed the correct Web address. But Thomas Ahlerup, a spokesman for the company, said the Web page was not available through normal channels on the site.

The article states that there was no password protecting the document and Ahlerup never states it either. Nobody broke into anything (store or website). Intentia published the document on their webserver, but never told anyone about it. I don't understand the confusion. If channel 6 plays a movie at 9 and I happen to turn my tv to that channel, am i hacking b/c channel 6 never advertised that they would have a movie playing? So how can Intentia put a document on a Public webserver, configure it to allow external access, and then complain that someone accessed it? You can't simply state that you have normal channels and that since they weren't followed it was hacking.

Re:Related: what about referer logs

[Dudio]

If you have Page Rank and/or the Category button enabled in the Toolbar, it definitely "phones home" to Google WRT which sites you hit. This is explained during setup (IIRC), and in the options page where you can change enable/disable these features. Check out Google's Toolbar Privacy Policy [google.com] for more info. on this.

Re:There are technical solutions

[FTL]

>Fact is, all security is obscurity. Security rests on the notion of a shared secret. Some key that both you and the other guy know.

Wrong. The security guard at the bank who's holding a rather impressive weapon isn't the slightest bit obscure. The security he provides is based on not being obscure.

Very Familiar with their servers...

[Dave21212]

Technically speaking, I'm very familiar with the server platform they use (Domino) and it's extremely secure (NSA, CIA, etc use it). For them to characterize this as a 'break in' is stretching it a bit. Domino provides security from server level down to individual user roles and fields. It's very simple to secure a file or page. Additionally, the standard procedure is to not replicate data you don't want made public to an external box, just in case you forget to secure a document.

For those of you interested in the technical/legal issues of 'publishing' the link, let's not forget that Domino has a few well-known powerful facilities to search and index content on a site... (ie: ?SearchView)

Domino Developers Site [notes.net]
Search URL Syntax [lotus.com]
Documentation on R5 Search [lotus.com]
Documentation Library [lotus.com]