Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Reuters Accused Of Hacking For Typing In URL

Posted by timothy on Tue Oct 29, 2002 04:23 AM
from the permission-granted-or-denied dept.
Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."
This discussion has been archived. No new comments can be posted.
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1) | 2
  • Related: what about referer logs (Score:5, Interesting)

    by jukal (523582) on Tuesday October 29 2002, @04:26AM (#4554264) Journal
    What if you get the link for the yet unpublic page from the referrer logs of your own site, for example www.reuters.com -logs. Would using that information be criminal?

    Here's [slashdot.org] a related thread from yesterday.

  • Stating the obvious (Score:5, Insightful)

    by Bartmoss (16109) on Tuesday October 29 2002, @04:28AM (#4554269) Homepage Journal
    It could have easily been protected by .htaccess or whatever. So, they have no case. Let's hope Reuters won't budge, and the judge will have a clue.
    • True dat by D+iz+a+n+k+Meister (Score:1) Tuesday October 29 2002, @04:33AM
      • Re:True dat by march (Score:1) Tuesday October 29 2002, @10:24AM
        • Re:True dat by Suppafly (Score:2) Tuesday October 29 2002, @10:43AM
          • Re:True dat by march (Score:1) Tuesday October 29 2002, @03:34PM
          • 1 reply beneath your current threshold.
        • Re:True dat by Dudio (Score:1) Tuesday October 29 2002, @12:54PM
          • Re:True dat by march (Score:1) Tuesday October 29 2002, @01:09PM
      • Apple does the same by 1u3hr (Score:1) Tuesday October 29 2002, @12:22PM
    • Re:Stating the obvious by Boing (Score:2) Tuesday October 29 2002, @04:48AM
      • Re:Stating the obvious (Score:5, Insightful)

        by MalleusEBHC (597600) on Tuesday October 29 2002, @04:51AM (#4554364)
        A store can easily be protected by purchasing video cameras. That doesn't make it legal to burglarize a store that just uses lock-and-key.

        The problem with your analogy is that they didn't even use a lock and key. Their doors were open for business and now they are getting mad that someone came in before they could put up the big neon "OPEN" sign.
        [ Parent ]
        • Re:Stating the obvious (Score:5, Insightful)

          by SmallFurryCreature (593017) on Tuesday October 29 2002, @05:35AM (#4554478) Journal
          The analogy is I think fundamentally flawed. It is more like peeping. Did reuters go to extra ordinary lengths to peep in on data that the plaintive could reasonably have expected to remain hidden?

          People walking by in the street can not be charged with peeping if they see you walking naked in youre house. Not even if they have to turn their heads to do it. Simply claiming that since you are doing it in youre own house you are supposed to have privacy is not valid. You have to draw the curtains for the expectancy of privacy to be granted.

          Now the question is, did they have the curtains drawn. I personally think not. It will be intressting to see what the law has to say about it.

          [ Parent ]
          • Re:Stating the obvious (Score:4, Insightful)

            by evbergen (31483) on Tuesday October 29 2002, @07:56AM (#4554891) Homepage
            data that the plaintive could reasonably have expected to remain hidden?

            He could not. If you put something on a /public/, passwordless directory of a webserver, then he has no grounds whatsoever to believe that it would remain hidden.

            It has nothing to do with peeping either. There's no 'smaller hole' you have to go through technically in order to obtain the requested document from the server. http://www.company.com/secretreports.html is just as available as http://www.company.com/index.html. Site portals are just yellow pages that help you find those URLs. Am I forbidden to dial a phone number that I didn't find in the phone book?

            If you want to protect a secret and assume that something will remain hidden, you need to take /reasonable/ measures. /Any/ person with /any/ knowledge of computers and networking will say you /at least/ need username/password protection.
            [ Parent ]
          • Re:Stating the obvious by spacefiddle (Score:1) Tuesday October 29 2002, @08:24AM
          • Re:Stating the obvious (Score:4, Insightful)

            by catfood (40112) on Tuesday October 29 2002, @10:27AM (#4555878) Homepage

            The plaintiff did not have the metaphorical curtains drawn. There was no realistic way to know the report was supposed to be hidden. The lack of a hyperlink to that report could mean a million different things--they forgot to add the link, they were publishing the report's URL in meatspace media, the link was in a place the defendant didn't know about, the link was propagated via email (hence not visible on any website), or whatever.

            But there's only one good way to tell people to stay away from a given web document--the 403 response code.

            The simplest common-sense defense would be to remind the court that the plaintiff's server gave a 200 response code. Defendants asked for a document and plaintiff provided it, where is the tort?

            [ Parent ]
          • No. by Ayanami Rei (Score:1) Tuesday October 29 2002, @03:02PM
        • Re:Stating the obvious by sallen (Score:2) Tuesday October 29 2002, @06:44AM
          • 1 reply beneath your current threshold.
        • HTTP is a two-way conversation by Anonymous Coward (Score:1) Tuesday October 29 2002, @08:23PM
        • 1 reply beneath your current threshold.
      • Re:Stating the obvious by Anonymous Coward (Score:1) Tuesday October 29 2002, @06:23AM
      • Re:Stating the obvious by spongman (Score:2) Tuesday October 29 2002, @06:47AM
      • Re:Stating the obvious by Pastis (Score:3) Tuesday October 29 2002, @07:03AM
      • Re:Stating the obvious by dpt (Score:2) Tuesday October 29 2002, @07:26AM
      • Re:Stating the obvious by cyclist1200 (Score:1) Tuesday October 29 2002, @08:07AM
      • Classic case by wrax (Score:1) Tuesday October 29 2002, @09:01AM
      • Re:Stating the obvious by overunderunderdone (Score:2) Tuesday October 29 2002, @09:28AM
      • Re:Stating the obvious by juggler314 (Score:1) Tuesday October 29 2002, @09:58AM
      • Re:Stating the obvious by macdaddy (Score:3) Tuesday October 29 2002, @10:07AM
      • Re:Stating the obvious by tsg (Score:2) Tuesday October 29 2002, @11:25AM
      • Re:Stating the obvious by Physics Dude (Score:1) Tuesday October 29 2002, @02:39PM
      • 3 replies beneath your current threshold.
    • Re:Stating the obvious by bluFox (Score:1) Tuesday October 29 2002, @04:50AM
    • Re:Stating the obvious (Score:5, Interesting)

      by passthecrackpipe (598773) <`passthecrackpipe' `at' `hotmail.com'> on Tuesday October 29 2002, @05:51AM (#4554521)
      I don't think this is about security, or .htaccess, or typing a URL, or anything technical whatsoever. This is simply a company that is being *extremely* clever when it comes to Marketing.

      Yesterday, I, as an IT professional that makes purchasing decision for a large organisation, had never heard from this company. Now I know they make Collaborative Solutions. All it cost them was a bogus courtcase with Reuters.

      This is clever marketing, nothing more, nothing less. Anyone can spot the lack of merits of this case from a mile away. Brand and name recognition of this company is soaring though. I wonder how their stock price is taking it?

      [ Parent ]
    • Great ! by doru (Score:1) Tuesday October 29 2002, @06:15AM
      • 1 reply beneath your current threshold.
    • Re:Stating the obvious (Score:5, Insightful)

      by Sancho (17056) on Tuesday October 29 2002, @09:30AM (#4555385) Homepage
      This case is actually symptomatic of a much larger problem that the US (and the rest of the world, from the looks of it) face: using the courts and your clout to cover up your mistakes. It seems like it's gotten to the point where if something happens that you don't like, you sue someone. Doesn't really matter who. Filing a suit has become a method of saying "We did nothing wrong, in fact we were wronged." even when in many cases this is simply untrue.
      This company clearly messed up. A news agency got some information (and not by hacking!) and published it. The information wasn't fraudulant. If it was false, it wasn't with a disregard for the truth--after all, it was in a document on the company's website. But the company in question didn't like the fact that the information got out, so they sue the news company.

      Forget terrorism and its effect on "free speech and free press" (right now a mostly US-centric concern) the real danger is big budget corporations who have the money and time to spend taking you to court because they didn't like what you had to say. It's scary, folks, and it's not getting any better.
      [ Parent ]
    • Re:Stating the obvious by djeaux (Score:1) Tuesday October 29 2002, @09:59AM
    • Re:Stating the obvious by Switchback (Score:1) Tuesday October 29 2002, @11:03AM
    • Re:Stating the obvious by Cyberia (Score:1) Tuesday October 29 2002, @11:19AM
  • Online or not. by dda (Score:2) Tuesday October 29 2002, @04:28AM
  • Oh, great! by Troy H Parker (Score:2) Tuesday October 29 2002, @04:29AM
  • Ridiculous! by ChristW (Score:2) Tuesday October 29 2002, @04:29AM
    • Re:Ridiculous! (Score:5, Interesting)

      by Anonymous Coward on Tuesday October 29 2002, @04:39AM (#4554317)
      Here in Denmark we have a similar (but more serious) case. A micro-payment system called Valus owned and developed by a Norwegian bank (Den Norske Bank) was "hacked" on its premiere day by typing in a simple URL with the command SHUTDOWN at the end. The link to do this was published on an online debate forum and several people tried the link (although it had a warning that you should not try it:-). The problem was missing input validation (maybe the most basic security issue). Until now five people have been taken to court - one of them being the "mastermind" who posted the link. As a reaction to this behaviour Valus has been reported to the state agency for protection of personal data (Datatilsynet) for not securing personal data.
      [ Parent ]
    • Re:Ridiculous! by SEWilco (Score:1) Tuesday October 29 2002, @08:58AM
    • 1 reply beneath your current threshold.
  • Insecure or Unsecure or something... by failrate (Score:1) Tuesday October 29 2002, @04:30AM
    • 1 reply beneath your current threshold.
  • Stupidity (Score:5, Insightful)

    by e8johan (605347) on Tuesday October 29 2002, @04:31AM (#4554281) Homepage Journal
    Quotes are from Intentia's press release concerning the investigation.

    "Reuters News Agency Broke into Intentia's IT Systems"

    I would not call it breaking in to surf on someones homesite.

    "there was an unauthorized entry via an IP-address belonging to Reuters"

    What do they mean, do I have to call them and ask for permission before accessing files publically available on their homesite?

    As Reuters didn't steal anything, but simply pointed at on open window (that they found) I would have to say that their act was not illegal. What they should investigate is their internal safety policies, because they need a revision or two (IMHO).
    • Re:Stupidity by just_because_it's_ir (Score:2) Tuesday October 29 2002, @08:32AM
      • Re:Stupidity by grahamm (Score:1) Tuesday October 29 2002, @12:01PM
    • Re:Stupidity by hosebee (Score:2) Tuesday October 29 2002, @09:00AM
    • Dear Mr. President by dnoyeb (Score:2) Tuesday October 29 2002, @09:12AM
    • Re:Stupidity by sciolist (Score:1) Tuesday October 29 2002, @11:42AM
    • Re:Stupidity (Score:4, Insightful)

      by Jezza (39441) on Tuesday October 29 2002, @05:15AM (#4554426)
      Well yeah that's right, if you don't protect the information (and "not making the URL public" isn't protection) then you have to realise that people can look. I can't see what they're expecting to gain by this. All they have done is make the information MORE visible and highlight that they have NO CLUE.

      Once this information was in the puiblic domain then I think their best policy would have been to do nothing, perhaps just issue the information with the best spin they could.

      Taking them to court seems like a REALLY BAD idea.
      [ Parent ]
      • Re:Stupidity by technix4beos (Score:1) Tuesday October 29 2002, @05:57AM
        • Re:Stupidity by Jezza (Score:2) Tuesday October 29 2002, @06:16AM
          • Re:Stupidity by Planesdragon (Score:2) Tuesday October 29 2002, @09:38AM
        • Re:Stupidity by wagemonkey (Score:1) Tuesday October 29 2002, @08:12AM
    • Re:Double standards? by archeopterix (Score:2) Tuesday October 29 2002, @06:33AM
    • Re:Double standards? by nolife (Score:1) Tuesday October 29 2002, @09:04AM
    • 2 replies beneath your current threshold.
  • Silly by Anonymous Coward (Score:2) Tuesday October 29 2002, @04:31AM
  • Nothing to do with links. (Score:4, Insightful)

    by tunah (530328) <samNO@SPAMkrayup.com> on Tuesday October 29 2002, @04:32AM (#4554285) Homepage
    If you don't use a hyperlink on a website, are you committing a crime?

    It's not about the existence (or not) of the link, but the source of the URL. While I don't agree with it, I think what they are saying is that if a site doesn't publish a URL (usually through a link, but could be in print, etc) it is not public information and accessing it is unauthorised access. This is the same attitude (if not specific issue) that has a problem with deep-linking [slashdot.org] too.

  • that's cold man. by xirtam_work (Score:2) Tuesday October 29 2002, @04:32AM
    • Re:that's cold man. (Score:4, Insightful)

      by dipipanone (570849) on Tuesday October 29 2002, @04:51AM (#4554362)
      What Reuters did exposed the company to a situation before they were ready.

      Which is precisely what you'd expect them to do, Reuters being a press agency and all.

      I court I hope Reuters don't get busted for accessing the information, but for publishing details about it.

      Damn straight. If it weren't for those goddamned financial journalists, I bet Enron would still be trading today. The freedom of the press has got no business interfering with our right to earn a dishonest dollar.

      After all I'm sure that the company in question had a copyright notice on all their pages, right?

      So what? Do you really believe Reuters breached their copyright in the report?

      Get a jar of glue, man.
      [ Parent ]
    • Re:that's cold man. by Mr_Dyqik (Score:2) Tuesday October 29 2002, @05:06AM
  • mandatory pr0n reference (Score:5, Funny)

    by stud9920 (236753) <slash-dot@major[ ]net ['os.' in gap]> on Tuesday October 29 2002, @04:32AM (#4554288) Homepage
    Well I do it all the time when browsing pr0n. Suppose you have an url like this one : http://www.hotteenchick.com/free/tgp/melanie08/mel anie08.html,
    it doens't take long to figure out where the other pics are.
  • There are technical solutions (Score:5, Insightful)

    by toriver (11308) on Tuesday October 29 2002, @04:32AM (#4554290)
    In my opinion, any HTTP GET request is exactly that, a request. "May I have that resource, Server Sir?". And if the server (which is the thingy that is responsible for allowing or refuseing the request) actually sent the requested resource/document back to the client, it has answered "Yes, you may" by responding with the resource.

    If the publishers of the resource wanted to limit access to the resource they could add authentication, referer checking, or a timestamp check - anything, really. Since they did not, I fail to see how they can have a case.

    "Security through obscurity", like having a non-linked but available resource, is self delusion.

    • Mod parent up by JanusFury (Score:1) Tuesday October 29 2002, @04:42AM
    • Re:There are technical solutions by sverrehu (Score:1) Tuesday October 29 2002, @04:47AM
    • but are there tech solutions for a meme? by SgtChaireBourne (Score:1) Tuesday October 29 2002, @05:02AM
    • Re:There are technical solutions (Score:4, Insightful)

      by sco08y (615665) on Tuesday October 29 2002, @05:12AM (#4554417)
      "Security through obscurity", like having a non-linked but available resource, is self delusion.

      That's one of those mantras that get repeated until people believe they're true.

      Fact is, all security is obscurity. Security rests on the notion of a shared secret. Some key that both you and the other guy know.

      In my opinion, any HTTP GET request is exactly that, a request. "May I have that resource, Server Sir?".

      So if I add a login header, is that just another GET request? It's the difference between http://root:12345@www.0wn3d.com/ and http://www.0wn3d.com/.

      Or what if I add an obscure folder name to the URL like sf908h234ff98hs9f?

      You might argue that the actual crime was in obtaining the password, and I agree that (for example) fraudulently claiming to be an employee (psychological hacking) is criminal, but it's a seperate offense.

      That's why breaking into someone's house is "breaking & entry." Even if you don't have to break in, entering is still criminal.

      The problem with "ah well, these guys were just poking around, the publishers should have used proper security" is that it raises the bar of what security is to what we experts think it ought to be. Many people don't have the capability to employ such measures, so we're denying them legal recourse.

      It would cause the same kind of division in society as if we had a law that said burglary doesn't count unless you have an expensive security system.
      [ Parent ]
      • Re:There are technical solutions (Score:5, Interesting)

        by D+iz+a+n+k+Meister (609493) on Tuesday October 29 2002, @05:30AM (#4554460) Journal
        The problem with "ah well, these guys were just poking around, the publishers should have used proper security" is that it raises the bar of what security is to what we experts think it ought to be. Many people don't have the capability to employ such measures, so we're denying them legal recourse.

        1. These people are experts.
        2. From a practical viewpoint, it should not have been on that server if it wasn't to be served. Anyone with sensitive data should at least be able to employ that measure.
        3. Why should they have legal recourse against typing things in the address bar of a browser?
        [ Parent ]
        • 1 reply beneath your current threshold.
      • Flawed Analogy by Anonymous Coward (Score:1) Tuesday October 29 2002, @06:28AM
      • Re:There are technical solutions by The Lord of Chaos (Score:1) Tuesday October 29 2002, @07:07AM
      • Re:There are technical solutions by sopuli (Score:1) Tuesday October 29 2002, @07:20AM
      • Re:There are technical solutions by avajadi (Score:1) Tuesday October 29 2002, @07:36AM
      • Re:There are technical solutions (Score:5, Insightful)

        by j7953 (457666) on Tuesday October 29 2002, @07:57AM (#4554895)
        So if I add a login header, is that just another GET request? It's the difference between http://root:12345@www.0wn3d.com/ and http://www.0wn3d.com/.

        No. In that case, you're trying to circumvent (by having illegally obtained or by guessing the password) a security measure. (Also see below.)

        It would cause the same kind of division in society as if we had a law that said burglary doesn't count unless you have an expensive security system.

        No. There is a difference between trying to receive information (i.e. trying to have it delivered to me), and trying to actively enter someone else's property. The breaking-in analogy is fundamentally flawed, at least as long as we're not talking about trying to circumvent any security that is installed (e.g. trying to guess passwords -- that would be trying to actively enter).

        Also note that houses (and physical locations in general) usually make it quite obvious whether they're supposed to be public or private. All private houses, even if they have no locks or security systems, have an implicit security mechanism: doors. Even if they're unlocked, closed doors tell most people not to enter unless invited by someone opening the door, or by a sign that tells them it's public. Why do you think most stores have doors that allow you to look into the store, that have obvious "open" signs, and that sometimes even open for you automatically? It's a way of telling people that the door is, unlike most other doors, not intended to keep them out.

        URLs, however, are all designed the same way, there is no obvious difference between private and public resources. The only way to recognize them as private is to request them and see if a password request will show up. And experience suggests that most URLs are public.

        Making it potentially illegal to try an URL will get you into the same legal problems as trying to make a difference between precise links ("deep links") and generic links (links to front pages).

        Some of the questions you'd have to answer are:

        • If you have requested, by following a link, the resource /some/path/document, and get a 404 Page not Found error, is it legal for you to try accessing /some/path/ by changing the URL in your browser's URL field?
        • Is it legal to type some domain name into your browser, even if it is not published anywhere? (E.g. you're looking for Foo Corporation's web site and try www.foo.com.)
        • If you're currently reading /2001/some-report, and you think that the year 2002 record would be more interesting, would you not try to type /2002/some-report into your browser?
        • If you're reading a structured document, e.g. an online book or a howto article, and you're currently reading /3-1, and you realize you'd like to skip chapter three but the "Next" link points to /3-2, is it legal for you to type /4 into your browser?
        • If you follow a link and get a 404, and the URL looks like the webmaster simply made a typo, is trying to correct the URL illegal without permission?
        • If any of the above is illegal, but someone did it anyway and then published the URL on his web site, without telling how he found it, is it illegal to click? To copy and paste?

        I am a webmaster myself, and I do agree that there are some requests that are sent with obviously malicious intentions (e.g. requests for cmd.exe etc.). But I am also a web user, and I don't want browsing the web to become a legal risk simply because I know how URLs work and make use of that knowledge. Some web site operators seem to believe that simply because they intended their visitors to behave in a certain way, and didn't provide any means for the users to behave differently, that anything but what they expect you to do should be illegal.

        There is a difference between an author telling you that it makes sense to read chapter four of his book before reading chapter five, and an author trying to put you in jail for reading chapter five first anyway.

        [ Parent ]
      • Re:There are technical solutions by Webmonger (Score:2) Tuesday October 29 2002, @08:24AM
      • OS level security by Flamesplash (Score:1) Tuesday October 29 2002, @08:26AM
      • Re:There are technical solutions by nahdude812 (Score:3) Tuesday October 29 2002, @09:05AM
      • Re:There are technical solutions by radish (Score:2) Tuesday October 29 2002, @09:21AM
      • Re:There are technical solutions by revery (Score:1) Tuesday October 29 2002, @10:04AM
      • public-key crypto/ addresses as privileged info by iskander (Score:1) Tuesday October 29 2002, @10:08AM
      • Re:There are technical solutions by toriver (Score:2) Tuesday October 29 2002, @10:18AM
      • Re:There are technical solutions by fermion (Score:1) Tuesday October 29 2002, @11:11AM
      • Re:There are technical solutions by blueroo (Score:1) Tuesday October 29 2002, @12:09PM
      • Re:There are technical solutions by Loki_1929 (Score:2) Tuesday October 29 2002, @12:22PM
      • Re:There are technical solutions by FTL (Score:3) Tuesday October 29 2002, @12:23PM
      • Re:There are technical solutions by Sycraft-fu (Score:2) Tuesday October 29 2002, @12:36PM
      • Re:There are technical solutions by deblau (Score:2) Tuesday October 29 2002, @02:09PM
      • In certain situations, I would agree by Ayanami Rei (Score:1) Tuesday October 29 2002, @03:24PM
      • 6 replies beneath your current threshold.
    • Re:analogies by Anonymous Coward (Score:2) Tuesday October 29 2002, @05:52AM
    • Re:There are technical solutions by avajadi (Score:1) Tuesday October 29 2002, @07:27AM
    • Re:There are technical solutions by JaredOfEuropa (Score:3) Tuesday October 29 2002, @07:59AM
    • GET by bwt (Score:2) Tuesday October 29 2002, @10:50AM
    • 1 reply beneath your current threshold.
  • Hacking? by Anonymous Coward (Score:1) Tuesday October 29 2002, @04:33AM
  • As the adage goes by sarcast (Score:1) Tuesday October 29 2002, @04:33AM
  • by g4dget (579145) on Tuesday October 29 2002, @04:37AM (#4554307)
    Many people truncate URLs to avoid dealing with broken site navigation systems. Mozilla and Galeon even have an "up" button. Other pages may become unlinked but may still be linked from a log or search engine. Some files, like /robots.txt, are almost never linked to, yet everybody knows they are there. And more than once, I have mistyped a host name along with a URL and gotten a web page that looked not entirely public (logs, etc.).

    In some areas of law, it's unavoidable drawing fuzzy boundaries and considering intent. However, in this case, anybody who wants to protect their information on the web easily can, using standard web access control schemes; they don't need to rely on using obscure URLs. Let's not burden the courts with this.

    This is part of a more general and disturbing trend, where lazy system admins don't spend the time set up their systems correctly, or management hires incompetent and cheap staff, and then try to use the court system and police (i.e., taxpayer money) to make up for their own shortcomings.