Reuters Accused Of Hacking For Typing In URL

Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."

Related: what about referer logs

[jukal]

What if you get the link for the yet unpublic page from the referrer logs of your own site, for example www.reuters.com -logs. Would using that information be criminal?

Here's [slashdot.org] a related thread from yesterday.

Online or not.

[dda]

I think that by definition : online measn available, and not linked. If it has to be sanctionned because it was online, then yes, they must be guilty.

Re:Related: what about referer logs

[technix4beos]

If their webserver is attached to the internet in any way, then anything it is "serving" is fair game, and should thus be protected appropriately.

This story sounds like someone got careless, and didn't lock down the folder the data lived in.

Sounds also like someone (their admin?) is trying to cover up the error by reporting to his (clueless?) bosses that obviously it was hacked, else how could they -ever- get that information, right? (yeah, right.)

Perhaps the admin should check out this handy url and order his copy soon.

http://www.amazon.com/exec/obidos/tg/detail/-/18 61 007221/qid=1035883929/sr=8-2/ref=sr_8_2/104-261132 8-8021524?v=glance&n=507846

I know I did, and it's invaluable.

Hacking?

[Anonymous Coward]

That would imply the firm took some sort of measure that was circumvented. Last I heard you did not NEED to post anything (for storage purposes) to a website...doing so makes them accessible. Also, you can set permissions for your webserver/directories, so I do not see why they are making a fuss. Maybe they should have secured the page-or better yet, not put it on the server until it was ready. Smart webmasters/admins have already dealt with this (Ex: PHP Nuke will not let you access a module("section") outside of the script. Isn't there something called .htaccess?

Bah

Re:Related: what about referer logs

[Anonymous Coward]

You think that's a rethoric question, but it isn't: What about the http://www.someforum.com/?user=JohnDoe&pass=5f3H26 referer in your logs? Is that still just a "hidden" address and are you allowed to access that page?

Let's hope this falls flat on it's face...

[grahamtriggs]

Let's think about this for a minute... if I remember the URL that was used to access a particular resource, and just type it in again at a later date (or even just recall a stored bookmark), am I hacking the site, just because the link I used originally may not exist any more?

Hell, if I just type a domain name into the browser, am I considered to be hacking the site (because it may not be indexed by the search engines yet, etc.)?

The internet is a 'public' network... (in terms of ability to access resources, not necessarily in the ownership of the material found there)...

It is easy enough to 'secure' data (at least in a trivial sense), and the responsibility has to be on the 'publisher' to make a reasonable attempt to protect data that they do not wish to be generally available... not linking to a resource does not constitute a reasonable attempt.

Raises some interesting ideas

[Stubtify]

While this seems absurd on the surface, I could see a judgement going either way, for mainly two reasons.

First, Reuters' position would probably be that the data was on a public network which was in plain view as long as the url is typed in. I myself do this all the time, why go to www.microsoft.com, click once on support, then click on download when I know the url I want is www.microsoft.com/download. It saves time and trouble. However their "accidental" stumbling upon of this data, which is far more important than anything I'd ever likely find on accident would most likely not fall into the same category. IANAL, but at the same time I would argue that anything they don't want leaked shouldn't be put online anyway, and espically without any security.

However, I can see Intentia International's point of view. What's to stop someone from simply hitting their webserver with every alpha-numeric combination possible. They'll eventually come across the correct one for some piece of information which had gone previously undiscovered because it was to be placed up at a time which was decided by Intentia or any other company for that matter. I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password. And, scarily enough if they showed a direct relationship between all pages not yet linked and their corresponding URL perhalps a big fat DMCA case might come about if Reuters or someone figured that "~a2eslcf" meant "third quarter" in some sorry 2 bit encryption.

Re:Ridiculous!

[Anonymous Coward]

Here in Denmark we have a similar (but more serious) case. A micro-payment system called Valus owned and developed by a Norwegian bank (Den Norske Bank) was "hacked" on its premiere day by typing in a simple URL with the command SHUTDOWN at the end. The link to do this was published on an online debate forum and several people tried the link (although it had a warning that you should not try it:-). The problem was missing input validation (maybe the most basic security issue). Until now five people have been taken to court - one of them being the "mastermind" who posted the link. As a reaction to this behaviour Valus has been reported to the state agency for protection of personal data (Datatilsynet) for not securing personal data.

WTF

[aristoidaneel]

If you transmit something via RF, anyone can listen to it. It doesn't matter the content. If you don't take precautions to restrict access to information, then you might as well be giving it away. It doesn't matter that the Police don't want me listening to their transmissions, they don't encrypt them, or protect them, so they are mine for the taking; weather or not the freq is listed (although it almost always is listed here in the US). URLs like frequencies are just way of addressing specific data. (from the human point of view...)

Not everyone in the world is a /.'er

[MalleusEBHC]

"The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.

While most everyone here will agree that Reuters at worst could have their actions describe as exploiting Intentia's utter stupidity, quotes like this show how little some people know about computers. This guy obviously thinks that just because they didn't provide an explicit hyperlink that the data on their server is "confidential." What I fear is that some non-technology savvy judge will actually follow this same train of thought and rule against Reuters. Is this ridiculous? Yes. Is it unfortunately all too real of a possibility? Yes as well.

PS - I checked Netcraft and they are running Windows 2000 [netcraft.com]. Is it any surprise that their security guys would believe that data freely available on their server is secure if they also think a server on Win2k is secure in the first place?

Re:Stating the obvious

[Boing]

It could have easily been protected by .htaccess or whatever. So, they have no case.

A store can easily be protected by purchasing video cameras. That doesn't make it legal to burglarize a store that just uses lock-and-key.

Just because their attempt at security left a lot to be desired doesn't mean they have no case. Any website could "easily" be protected by some level of security, but having a lesser level of security doesn't absolve attackers.

Note that I am not arguing that Intentia has any legal ground. I'm just noting that your argument has nothing to do with the true legality of Reuters' actions.

Re:Definition... and metaphorical example...

[Ripplet]

Sure it can be punished, if:
1. You can find the person who now has the object.
2. You can prove that particular object is yours.
That's theft alright. Coupla big 'if's though.

But if you leave some secret object in a public place, and someone takes a photo of it and publishes it, but leaves the object there, can you punish them for that? Ridiculous right?

So I'm allowed to guess www.intentia.com, but I'm not allowed to guess www.intentia.com/topsecret.html?
Ridiculous again.

Case dismissed.

no case here

[Dexter's Laboratory]

Seems like the document wasn't protected, and also, why publish something if they don't mean to publish it? Thirdly, wouldn't it be possible that google and other search engines have found this document and indexed it?

What the law says:

[Albanach]

There's some discussionon the law - of course mainly American law which has little to do with whether it was legal or not where the crime actually happened.

If they were to prosecute in the UK - I note Reuters replied to the allegations from their London HQ - here's what the law says:

Computer Misuse Act (1990)
Unauthorised access to computer material

1.--(1) A person is guilty of an offence if--

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be directed at--

(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.

(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

So, it's quite straightforward really - if they can prove Reuters knew they weren't supposed to be looking at that material, then if the access was from the UK, a crime was committed.

If Reuters can argue they didn't know the material was private, there is no case to answer.

Going back to the points some others have made about the information being publicaly accessible with no .htaccess protection, clearly this doesn't matter. If, for example, you were to make a clcik through that had to be viewed before you could see any of the content that stated the information was confidential then someone not supposed to be viewing it would be committing a crime to do so.

Intent+Action makes it wrong

[blastedtokyo]

IANAL and I don't care if it's legal or not but I think it's still wrong what Reuters did.

There's no doubt that the company that let their financials get out were completely moronic about their security. That, however, does not change whether or not it was wrong to hunt for this information. It's no different from the 'she was wearing something revealing so i have the right to rape/sexually harass her' fallacy.

It comes down to what the intent was and what the resulting action was. First, the Reuters reporter was probably looking for the data that wasn't released yet. He had intent to get something he wasn't supposed to have and get a story out of it. It's no different from someone with binoculars eying a payphone at an airport to steal calling card numbers from people who don't cover their keypads when dialing and then publishing the number/selling it/or using it to call some people.

The second half of the equation is what they do with it. Reuters had a scoop to gain by publishing this information early. If the reporter used this information to short the stock before it was released, that'd be illegal too. Think if we were dealing with something other than a press release. What if it was child pornography? Someone surfs to a random URL and finds child pornography. He could argue that he ran into it by accident, closed the browser and forgot about it. He's probably not going to be in too much trouble. But if he posts the link up on slashdot claiming the story's about linux, emails it to 1000 people, prints the pictures and mails copies to the police, then he's definately guilty. Here reuters found it and published it to get a story out of it. They acted on it and gave away something that wasn't theirs.

Similar to Petswarehouse.com case

[Anonymous Coward]

One of the defendants in the Petswarehouse case was accused of "hacking" into the petswarehouse site. He did this by altering one digit of a URL.

After he placed an order, it sent him to a page that was a simple URL that contained an order number. That page displayed ALL of his info, including credit-card number. He decided to see what would happen if he changed a single digit in the order number. Imagine his suprise when he saw some other customer's order complete with CC number!

Petswarehouse actually tried to get the FBI to charge him with computer crimes for this amazing display of L88T HAX0R skillz. (sorry, I suck at hacker speak!)

For info about the case, see:
http://petsforum.com/psw/Docket.htm

Re:There are technical solutions

[D+iz+a+n+k+Meister]

The problem with "ah well, these guys were just poking around, the publishers should have used proper security" is that it raises the bar of what security is to what we experts think it ought to be. Many people don't have the capability to employ such measures, so we're denying them legal recourse.

1. These people are experts.
2. From a practical viewpoint, it should not have been on that server if it wasn't to be served. Anyone with sensitive data should at least be able to employ that measure.
3. Why should they have legal recourse against typing things in the address bar of a browser?

Re:Stating the obvious

[passthecrackpipe]

I don't think this is about security, or .htaccess, or typing a URL, or anything technical whatsoever. This is simply a company that is being *extremely* clever when it comes to Marketing.

Yesterday, I, as an IT professional that makes purchasing decision for a large organisation, had never heard from this company. Now I know they make Collaborative Solutions. All it cost them was a bogus courtcase with Reuters.

This is clever marketing, nothing more, nothing less. Anyone can spot the lack of merits of this case from a mile away. Brand and name recognition of this company is soaring though. I wonder how their stock price is taking it?

Intentia are to blame here, not Reuters

[Fnagaton]

I would have though that the bigger story here would be that Intentia has released price sensitive information before they should have done by making available from non-secure download their Q3 results. There are lots of regulations that mean companies get in to a lot of trouble for leaking their results ahead of time. I think Reuters did us all a favour for highlighting this security risk.

Re:Related: what about referer logs

[Romanpoet]

However, what about those people that run default cfg's and accidentially put their passwords lists online to those who know the default cfg problem? (I've seen this happen a few times before)

Granted, it is a very very stupid error, but getting that password list (even though it is online) I would say constitutes some level of hacking.

-Romanpoet

We had something similar...

[d-Orb]

A couple of years ago, we had submitted a bid for a (substantial) research contract. The results of the bid were held in the website, but were easily reached by typing the correct URL. Indeed, we found out about it just by using their search engine, which did index the offending pages. We were aware of the bid not being succesful (sigh!) about a week before the official announcement. It was a bit embarassing when at the official announcement most of the institutions who had not been succesful had all had a good excuse for not turning up :-)

Re:Related: what about referer logs

[Kierthos]

Thing is, Reuters didn't just "look". They published. Which, using the same analogy, would be looking into your house, and reporting to any and all passers-by what was going on inside.

Furthermore, there are "Peeping Tom" laws for residences and businesses. So, even looking in, if I leave the blinds up, can be illegal.

Kierthos

Re:Related: what about referer logs

[jmo_jon]

Imagine this scenario:

An employee of a company takes their earnings report to a trainstation and leaves it there. A random person who happends to be a journalist picks it up and reads it through. He realises that this is dynamite since his paper will be the first one printing it so he decides to print it.

Now will that journalist be guilty of espinage or will the employee at the company be the one to blame? I think none doubts it will be the employee making the mistake and I can't see the difference in puting it on their official website. Of course none knows what it is and it's hard to find just like a random paper in a train station. But the fact remains, someone at the company put the secret paper in a public forum in which someone happend to find it.

I wonder what will happend if they win the sue. Will everyone linking to a page be forced to check constatly that the site they are linking to still has an 'official' link to the document, or risk facing charges?

Re:Stupidity

[just_because_it's_ir]

Just out of interest - were they breaking any kind of press embargo here? Press releases and the like are often put in an obvious place (e.g. www.anysite.com/press/todays_date.html), so Reuters would have had a chance to guess the url based on their knowledge of previous press releases - which would be a breach of trust. In any case, if it was embargoed, which this kind of release probably would be, it's surely not very ethical to run the story a few hours early for the sake of the scoop.

Any publicity is good publicity?

[Arker]

Frankly, this is a pretty bad way to get your name out - an IT company that doesn't understand the web any better than this? I wouldn't hire them to do anything, they sound totally incompetent. But they say any publicity is good publicity...

URL = Hacking ?

[majland]

A danish company (http://www.valus.dk) presented last spring an eletronic wallet that could be used for paying small amounts on the internet.

On a chatboard hosted by the magazine www.computerworld.dk their safety was diguessed

Soneone posted that entering http://www.valus.dk/badscript.asp?x;shutdown would shutdown their server.

Anotherone could'nt resist testing whether is was a joke or not, so he entered the URL and the server shutdown... He tried it again the next day and it went down again ....

A few month later the police knocked on his door, confiscated his computer and he is now charged for "hacking".

The argue that he should have known that the above URL would shutdown the server (he was told in the chatboard) so it was a deliberate DOS attack !!

Try a search on groups.google.com for www.valus.dk

i.e
http://groups.google.com/groups?hl=da&lr=&ie=UTF -8 &threadm=aokrr5%24lr9%241%40tux.netsite.dk&rnum=2& prev=/groups%3Fhl%3Dda%26lr%3D%26ie%3DISO-8859-1%2 6q%3Dwww.valus.dk%26btnG%3DGoogle-s%25F8gning

or

http://www.snakeoil.dk/kommentarer/20021028-1 /Anders

Re:URL = Hacking ?

[majland]

The "hackers" own story - in danish

http://cubus.adsl.dk/elteknik/div/valushacker.ph p

Similar Australian case

[Anarchofascist]

There was a similar case in Australia a few years ago, so please forgive me for not going into great detail, as my memory is no longer photographic.

It seems there was an Asutralian Government site for information about your tax status. You entered your tax file number (same as the US SSN), plus a little more information to verify your identity, and then were shown a page with some tax information of some sort.

One man noticed that the page he was eventually directed to was http://somethingsomething.gov.au/something.asp?tfn ={his-tax-file-number} and wondered how good the security was. So of course, he types in another tax file number in the address field to test it.

BLING! Someone else's tax information pops up! No security at all, someone had just dumped this simple database-access script on the web for all to see! He tells someone in the tax department (big mistake) about the security flaw and POW a piano falls on his head. Metaphorically speaking.

Are there any Aussies in the audience who remember any more details about this one? It was at least 3 years ago.. can't remember the final outcome.

Re:Related: what about referer logs

[Dun Malg]

Granted, it is a very very stupid error, but getting that password list (even though it is online) I would say constitutes some level of hacking

and I would say that getting the password list is no sort of crime. Using the passwords, however, would be.

Re:Stating the obvious

[macdaddy]

Better analogy: the video store put "Episode I" DVDs on the shelf early thinking that since they hadn't advertised they had them they'd be safe. A customer looking in the obvious location (next to the "later" releases) found the video and told his friend. The store got pissy and complained. That's a better analogy.

Guessing the results URL was easy

[anser]

You can't go by what Intentia's website shows now, I suspect they changed their scheme (also known as 'locking the barn door after the barn burns down').

If you do a Google search for intentia results [google.com], at least one early entry points to the Intentia 'press room' containing an earlier quarterly results announcement. The announcement page itself [intentia.com] does have a 24 bit hex ID number in the URL (BA45EE etc) that would be hard to guess for a new quarter. But on the announcement page is this link:

::: read the full report [slashdot.org]

Now the URL (which no longer works, natch) of the PDF file being linked to:

http://www.intentia.com/w2000.nsf/(files)/Intentia _02_Q2_us.pdf/$FILE/Intentia_02_Q2_us.pdf [intentia.com]

is extremely easy to extrapolate to subsequent quarters. I have no doubt that's what Reuters did , for this company and many others with similarly easy naming schemes and early uploading schedules. And I have no doubt that other journalists pull the same trick. In this case, a company with results they'd rather nobody noticed has jumped at the opportunity to change the subject.

Re:Related: what about referer logs

[Qrlx]

What about the Google toolbar? I'm not sure what that thing is all about, BUT...

I was running the Google Toolbar, and I had some un-linked content on our live web server. Then my boss just happened to be searching for some of that info on Google, and bam! The "secret" pages on our web server show up! Content that was indeed on the web but did not have any outside hyperlinks pointing to it was being cached by Google.

How did Google find it? The only thing I can think of is that the Google Toolbar noticed that I went to that unpublished URL and "phoned home." (By the way, the web server is running IIS 5.0/Windows 2000, so I doubt those Apache tricks would work, though there must be similar tricks for IIS.)

College grades have similar 'security'

[sheetsda]

My college protects grades a similar way before they're released, last semester I started publishing a form [muohio.edu] in my web space (hosted on their server :)) that allows you to get your grades (presumably) as soon as they're scanned in, several days before their intended release. I don't know if anyone on staff noticed and/or cared; it may be that the official release time is just there to prevent complaining about "she got her grades before I could". All that was required to make the form was stripping down their grade submit page and changing one of the options in a select.

Damn!

[quacking duck]

A few months ago I guessed the URL to the then-new Star Trek Nemesis teaser from Apple's site ten minutes before their trailer page was updated to access it, ensuring I got it at high download speed before the masses linked in and slowed everything down.

Guess I'll be expecting a court summons soon...