Slashdot Mirror
Reuters Accused Of Hacking For Typing In URL
Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."
Here's a related thread from yesterday.
It could have easily been protected by .htaccess or whatever. So, they have no case. Let's hope Reuters won't budge, and the judge will have a clue.
I think that by definition : online measn available, and not linked. If it has to be sanctionned because it was online, then yes, they must be guilty.
no no, you say it "router" ('rau-t&r).
Are we going to get "internet traffic tickets" now, instead of a 404 error?
Oh wow! Deep-linking outlawed, URL-typing outlawed! How long until hyperlinking itself is outlawed? Oh wait, I should ask BT that, since they own the patent on hyperlinking...
Besides, isn't 'regulating access to private information on a public website' what httaccess was for?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Yeah, if they didn't have crypto on it, then Reuters didn't hack anything. The beef of this whole thing is that the company was tanking, anyway, and I betcha they're using this whole stupid thing as some kind of scapegoat or smokescreen.
Voodoo Girl is the bomb!
Quotes are from Intentia's press release concerning the investigation.
"Reuters News Agency Broke into Intentia's IT Systems"
I would not call it breaking in to surf on someones homesite.
"there was an unauthorized entry via an IP-address belonging to Reuters"
What do they mean, do I have to call them and ask for permission before accessing files publically available on their homesite?
As Reuters didn't steal anything, but simply pointed at on open window (that they found) I would have to say that their act was not illegal. What they should investigate is their internal safety policies, because they need a revision or two (IMHO).
It's not about the existence (or not) of the link, but the source of the URL. While I don't agree with it, I think what they are saying is that if a site doesn't publish a URL (usually through a link, but could be in print, etc) it is not public information and accessing it is unauthorised access. This is the same attitude (if not specific issue) that has a problem with deep-linking too.
Free Java games for your phone: Tontie, Sokoban
anybody who strays from the 'garden path' of links provided shouldn't be deemed a criminal.
However, it depends upon what you do with this so-called unpublished material.
What Reuters did exposed the company to a situation before they were ready. Seems to me like the company should have taken more adequate security such as using htaccess passwords, etc.
I court I hope Reuters don't get busted for accessing the information, but for publishing details about it. After all I'm sure that the company in question had a copyright notice on all their pages, right?
Well I do it all the time when browsing pr0n. Suppose you have an url like this one : http://www.hotteenchick.com/free/tgp/melanie08/mel anie08.html,
it doens't take long to figure out where the other pics are.
If the publishers of the resource wanted to limit access to the resource they could add authentication, referer checking, or a timestamp check - anything, really. Since they did not, I fail to see how they can have a case.
"Security through obscurity", like having a non-linked but available resource, is self delusion.
How could it possibly be considered private if it was accessable by url?
.htaccess -- or -- it could have been placed somewhere other than on a "production" server.
As the parent pointed out, it could have been protected by
He painted a unicorn in outer space. I'm askin' ya, what's it breathin'?
That would imply the firm took some sort of measure that was circumvented. Last I heard you did not NEED to post anything (for storage purposes) to a website...doing so makes them accessible. Also, you can set permissions for your webserver/directories, so I do not see why they are making a fuss. Maybe they should have secured the page-or better yet, not put it on the server until it was ready. Smart webmasters/admins have already dealt with this (Ex: PHP Nuke will not let you access a module("section") outside of the script. Isn't there something called .htaccess?
Bah
How many times have we heard this:
"Anything you put up on the internet is there forever."
I don't understand why a company would put sensitive financial reports on their web server and then complain when someone finds them there with an easily guessable name no less.
While Reuters should have had a bit more discression seeing as how they are supposed to be an international news organization, I can't say that I feel sorry for this company if they did something that dumb.
In some areas of law, it's unavoidable drawing fuzzy boundaries and considering intent. However, in this case, anybody who wants to protect their information on the web easily can, using standard web access control schemes; they don't need to rely on using obscure URLs. Let's not burden the courts with this.
This is part of a more general and disturbing trend, where lazy system admins don't spend the time set up their systems correctly, or management hires incompetent and cheap staff, and then try to use the court system and police (i.e., taxpayer money) to make up for their own shortcomings.
"The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB."
Um, yeah. If you cant tell the difference between 'storing confidential data in an access controlled place on your internal network' and 'storing confidential data on an open-for-all external site' it sure will damage my confidence in Intentia as a company. Incompetent is a fairly fitting description.
Don't ever put anything on a publicly accessable webserver unless you want it to be seen. Of course I doubt they'll learn...
-witty
"The incident has severely damaged confidence in us as individuals and in Intentia as a company"
Well I should hope so. A business that writes software so business can collaborate should know how to run a webserver.
He painted a unicorn in outer space. I'm askin' ya, what's it breathin'?
The one person that put the document on a public webserver is the one who's to blame. No matter how they toss and turn it it was accessible without any access restrictions from the web. Nothing was hacked and no password guessed.
I relly hope that the court handling this case will understand how a webserver functions. In that case its all clear whos to blame.
HTTP/1.1 400
Repeat after me:
If you don't want people to read something, don't put it on the Internet.
Please correct me if I got my facts wrong.
Let's think about this for a minute... if I remember the URL that was used to access a particular resource, and just type it in again at a later date (or even just recall a stored bookmark), am I hacking the site, just because the link I used originally may not exist any more?
Hell, if I just type a domain name into the browser, am I considered to be hacking the site (because it may not be indexed by the search engines yet, etc.)?
The internet is a 'public' network... (in terms of ability to access resources, not necessarily in the ownership of the material found there)...
It is easy enough to 'secure' data (at least in a trivial sense), and the responsibility has to be on the 'publisher' to make a reasonable attempt to protect data that they do not wish to be generally available... not linking to a resource does not constitute a reasonable attempt.
First, Reuters' position would probably be that the data was on a public network which was in plain view as long as the url is typed in. I myself do this all the time, why go to www.microsoft.com, click once on support, then click on download when I know the url I want is www.microsoft.com/download. It saves time and trouble. However their "accidental" stumbling upon of this data, which is far more important than anything I'd ever likely find on accident would most likely not fall into the same category. IANAL, but at the same time I would argue that anything they don't want leaked shouldn't be put online anyway, and espically without any security.
However, I can see Intentia International's point of view. What's to stop someone from simply hitting their webserver with every alpha-numeric combination possible. They'll eventually come across the correct one for some piece of information which had gone previously undiscovered because it was to be placed up at a time which was decided by Intentia or any other company for that matter. I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password. And, scarily enough if they showed a direct relationship between all pages not yet linked and their corresponding URL perhalps a big fat DMCA case might come about if Reuters or someone figured that "~a2eslcf" meant "third quarter" in some sorry 2 bit encryption.
It's not hard to crawl a website, such as search engines do all the time. Yet I bet they're not going to sue google which undoubtedly had a cache of the site before it went public (robots allowed, of course).
3 A
And if your server is set to list directories, then it's already "serving" away all of it's pretty little files without much prodding (funny, how a server...serves...files).
http://www.intentia.com/w2000.nsf/pages/PR_5BBD
" The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters. The entry took place at 12:51 pm on October 24th 2002, prior to the publication of the interim report for the third quarter of 2002. At approximately 12:57 pm, Reuters published the first news flash giving information on Intentia's third quarter result, without prior confirmation from the Company..."The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.
"We question the methods used by Reuters, and our judgement is that we cannot rule out the possibility of illegal actions. As a consequence we will file criminal charges regarding the incident," says Björn Algkvist.
"We will disclose to the Stockholm Stock Exchange all technical details on how the intrusion was made, which will allow them to share this information with other listed companies, so that actions preventing similar events in the future can be made," concludes Björn Algkvist. "
Tip for the Swedes over there at Intentia International:
"chmod --help" -or-
"mv --help"
If an unauthorized page isn't met with a 404 or 403, you did somehting wrong.
Most folk'll never lose a toe, and then again some folk'll...
The company homepage, www.corp.com, is like the main switchboard number, say 555-1000.
URL's reachable through the home page (www.corp.com/foo/bar) are like internal extensions you can find through the voice menu system (555-1357).
The link with the earnings report is like an extension (555-2468) not on the voice menu, that came off somebody's business card or answering machine or some unknown channel.
That's it. Reuters is being sued over something very much like calling an unlisted direct phone number inside some company. How they got the phone number is, well, irrelevant. They're a news organization, they have reporters, whose job is digging up info like phone numbers.
Deep linking works the same way for anyone else too, of course. Like duh, if you don't want something to be reachable without going through the switchboard, don't give it a direct number exposed to the outside world.
It depends on how you define hacking... if they had no inside information about the URL, then yeah, guessing the URL would be a type of hacking but, I don't believe, one that could be punishable by law. For example, if I put an object I own in a public place... say, some place where the object is hidden but could be found if somebody was looking for it. Then a couple days later it's gone... is that theft? Sure, but, again, I don't think it can be punished. One of those "you should have known better," examples.
sig.
If you transmit something via RF, anyone can listen to it. It doesn't matter the content. If you don't take precautions to restrict access to information, then you might as well be giving it away. It doesn't matter that the Police don't want me listening to their transmissions, they don't encrypt them, or protect them, so they are mine for the taking; weather or not the freq is listed (although it almost always is listed here in the US). URLs like frequencies are just way of addressing specific data. (from the human point of view...)
It looks to me like they are trying to stretch the law to make up for bad server administration. I say if it served up by your server, it is fair game. Putting something on your machine that can be served on request makes it public domain.
A very intelligent point. They didn't hack anything, they asked for the document, and the server gave it. They have absolutely no case.
using namespace slashdot;
troll::post();
Stockholm, Sweden -Intentia International (publ.) announces the results of its internal investigation launched due to circumstances around the fact that Reuters published Intentia's fourth quarter results for 2002 prior to the scheduled publication on October 24th. "The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.
The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters using an exploit in the web server. The entry took place at 11:51 pm on October 24th 2002, prior to the publication of the interim report for the fourth quarter of 2002. At approximately 12:57 pm, Reuters published the first news flash giving information on Intentia's third quarter result, without prior confirmation from the Company. Intentia issued its earnings report ahead of schedule at 1:22 pm that same day. "The incident has severely damaged confidence in us as individuals and in Intentia as a company, and has cost millions of dollars worth of damages" says Björn Flänsost, CEO of Intentia International AB.
"We question the methods used by Reuters, and our judgement is that we have been the target of illegal actions. As a consequence we will file criminal charges regarding the incident, and will seek the maximum penalties for all those involved" says Björn Flänsost.
On Thursday, Intentia contacted the Stockholm Stock Exchange regarding an internal investigation of the incident. "We will disclose to the Stockholm Stock Exchange all technical details on how the intrusion was made, which will allow them to share this information with other listed companies, so that actions preventing similar events in the future can be made," concludes Björn Flänsost.
"The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.
While most everyone here will agree that Reuters at worst could have their actions describe as exploiting Intentia's utter stupidity, quotes like this show how little some people know about computers. This guy obviously thinks that just because they didn't provide an explicit hyperlink that the data on their server is "confidential." What I fear is that some non-technology savvy judge will actually follow this same train of thought and rule against Reuters. Is this ridiculous? Yes. Is it unfortunately all too real of a possibility? Yes as well.
PS - I checked Netcraft and they are running Windows 2000. Is it any surprise that their security guys would believe that data freely available on their server is secure if they also think a server on Win2k is secure in the first place?
Unless it was stated somewhere that the information was internal or unpublished (I didn't see that said anywhere) and if it was available on a public server (it apparently was), I don't see how even a court of law could find fault with Reuter's actions (and I'm not much into giving credit to the judicial system at this point).
In the court of clue (heh, I made that up!) they should be charged with three counts of public stupidity. One, for putting the information on a publicly reachable server in the first place if it was that important that no one see it yet. Two, for not protecting said information beyond just not linking to it from anywhere. Three, for suing. I'm just getting damn tired of companies suing people and each other because they don't understand their own technology at this point.
Now, how they got the URL might be another story if there was an employee who leaked it or something, but I wouldn't be surprised if the explanation was simply all their earnings reports were available as files in the same directory as earnings-200x.html.
Game... blouses.
AFAIK: There hasn't been a case like this in Scandinavia, so it could be interesting to see the outcome. Having read quite a lot of Norwegian and Swedish judgements on the subject, I think Intentia don't have a case as long as Reuters did not break any protection to get the documents.
An internet address is like any other address. Is it illegal to find someones house by giving directions to it?
When are people going to stop thinking of URL's and Domain names as trademarks, and more like Addresses?
Funny stuff, this.
I'm going outside, right now, with copies of some of my own financial statements.
I'm going to throw them onto the Main Street sidewalk, and stand just near enough to the pile that I can serve hastily-drawn lawsuit papers to anyone who dares to look.
The documents are undeniably my property, after all. Nobody has the right to see them unless I erect a big fucking sign pointing them out, even if they are scattered about a public walkway.
[Moral for the sarcasm-impaired: If you don't want your information to be public knowledge, now or ever, don't let it be publicly available. At all.]
Kid-proof tablet..
What a lot people dont seem to realise, is that the google toolbar is allowed (but apparently doesn't) to send back the URLs you visit, and toolbars (like alexa) and spyware do send back URLs you visit for indexing.
Furthermore, even if an engine like google didn't get the link from the toolbar, it could still get it from someones refererlogs.
If you don't want someone to read it - don't put it online.
Hurra for Knark!
Actually, this does raise an interesting question. If a page is put on the web that cannot be spidered, and cannot be reached from any publicly available page, can we assume that anyone who accesses that page has some sort of unauthorized information? I have never heard of hackers systematically trying IP addresses for content. And it is in fact likely that Reuters got the info from an employee... in violation of the employment agreement.
This should be a fascinating case, and not nearly as easy as the writeup makes it seem.
Thalia
In other news, dialing unlisted phone numbers without the express written consent of the number's owner is now a criminal offense.
Krikey. I just don't know where they find people this stupid. Same goes for this deep linking crap. Maybe people should have to pass some sort of test before they get to use the Internet. Otherwise the have to use AOL until they at least understand that anything you post to the web could be publically accessible.
One of the defendants in the Petswarehouse case was accused of "hacking" into the petswarehouse site. He did this by altering one digit of a URL.
After he placed an order, it sent him to a page that was a simple URL that contained an order number. That page displayed ALL of his info, including credit-card number. He decided to see what would happen if he changed a single digit in the order number. Imagine his suprise when he saw some other customer's order complete with CC number!
Petswarehouse actually tried to get the FBI to charge him with computer crimes for this amazing display of L88T HAX0R skillz. (sorry, I suck at hacker speak!)
For info about the case, see:
http://petsforum.com/psw/Docket.htm
From: "ferrocene" ,
To:
Subject: Re: Lawsuit @ http://www.intentia.com/w2000.nsf/pages/PR_5BBD3A
If an unauthorized page isn't met with a 404 or 403, you did somehting wrong. You have an incompetent webmaster. The proper way to remove a book from the library isn't to remove the card catalog, it's to remove the book.
-erik-
Most folk'll never lose a toe, and then again some folk'll...
For the record, there was a case recently here in France where a judge ruled in favour of a person who hacked the website of Tati, a retailer. In fact the only tools the hacker used were a regular browser, and the information was insufficiently protected. French speakers can read more here. Google should be able to help the others :-). While this case isn't the same, in France this has made jurisprudence that information that isn't protected at all from basic navigation tools, can't be considered to be "stolen", even if the original intent was not to publish it.
Try NetBSD... safe,straightforward,useful.
I'm no expert on how search engines work, but what if google had indexed the page (or whatever they do) first? Would google be sued then? Reuters did nothing wrong by accessing Intentia's server and Intentia knows it. It's just a humiliating situation for the company and now the need to find someone to blame.
.htaccess
The fact that Reuters published information that they (possibly) knew wasn't yet published could be seen as something you shouldn't do. But then again, if it's secret don't put it on the web.
One final word:
A few years back someone found they could get other people's details from the Australian Tax Office's site by manipulating the URL (that's the impression I got anyway). An ultra-quick googling turned this up. What happened to this guy? I can't remember. All I can remember is that he sounded really embarrassed when he was being interviewed and was referred to as a "hacker".
---
Yeah, well, that's just, like, your opinion, man.
The "80's" hit Sweden in the 90's.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
If they were to prosecute in the UK - I note Reuters replied to the allegations from their London HQ - here's what the law says:
So, it's quite straightforward really - if they can prove Reuters knew they weren't supposed to be looking at that material, then if the access was from the UK, a crime was committed.If Reuters can argue they didn't know the material was private, there is no case to answer.
Going back to the points some others have made about the information being publicaly accessible with no .htaccess protection, clearly this doesn't matter. If, for example, you were to make a clcik through that had to be viewed before you could see any of the content that stated the information was confidential then someone not supposed to be viewing it would be committing a crime to do so.
IMHO this PR stunt is an attempt to take the eye off their not so good results. According to the report Intentia's revenues declined by 14% during the period Jan-Sep 2002 and their operating margin is very close to ZERO.
IANAL, but I think they're stepping on thin ice because report was already uploaded to public accessible server and thus it should be considered published. Even if there was no hyperlink pointing to it Intentia didn't take any protective measure to restrict the access to the report. Reuters didn't have to circumvent any security measures so they can be hardly accused of hacking. And since the report was on public server they can't be accused of unathorized access. Another possible scenario is that Reuters've got the information about the document location from an insider, but the report was already accessible by public so i can't see any wrongdoing.
Yeah, as usual everyone has rushed to make their own conclusions without bothering to think of plausible explanations other than stupidity. I can think of two ways in which Intentia could have a point: 1. A URL is not always just an address. If the URL contains session data such as a session key or password, the URL is in effect the upstream channel of a client-server connection. Manipulating the URL is then similar to altering packets in an IP stream. 2. The page isn't linked from anywhere and hasn't been used previously. Options Indexes is off. Now, if someone fetches the pages it's probable evidence of either a leak or a previous hack into the system.
I'm sorry if I haven't offended anyone
Did any other fans of the original Survivor immediately think of the (in)famous 'Gervace X' scam pulled off by CBC?
A synopsis:
When a 'survivor' was voted off, they would place his picture with a red X over it on the site.
When Survivor popularity skyrocketed, CBC placed pictures with Xs of all characters, except one, on the site. But they only linked those who had already been voted off.
They got mucho free publicity from all media outlets, as they scrambled to interview the 'hacker' who had manually typed in the URL's to locate the pictures, tried to located the firm who did the web design, etc.
Imagine for a moment a world without hypothetical situations...
Which roughly translates to: 'we want to use the internet securely'.
They then put some confidential information on their public website, and sue the first people to read it
I don't stand in front of the window facing the street with the curtains open, beating my meat when I don't want to be seen jerking off.
.
Well, except when, uh, you know. .
He painted a unicorn in outer space. I'm askin' ya, what's it breathin'?
The 40 character ID code:
o in g_down_the_pan.pdf
http://www.intentia.com/reports/latest/we_are_g
Anybody could have guessed that ^_^
There's no doubt that the company that let their financials get out were completely moronic about their security. That, however, does not change whether or not it was wrong to hunt for this information. It's no different from the 'she was wearing something revealing so i have the right to rape/sexually harass her' fallacy.
It comes down to what the intent was and what the resulting action was. First, the Reuters reporter was probably looking for the data that wasn't released yet. He had intent to get something he wasn't supposed to have and get a story out of it. It's no different from someone with binoculars eying a payphone at an airport to steal calling card numbers from people who don't cover their keypads when dialing and then publishing the number/selling it/or using it to call some people.
The second half of the equation is what they do with it. Reuters had a scoop to gain by publishing this information early. If the reporter used this information to short the stock before it was released, that'd be illegal too. Think if we were dealing with something other than a press release. What if it was child pornography? Someone surfs to a random URL and finds child pornography. He could argue that he ran into it by accident, closed the browser and forgot about it. He's probably not going to be in too much trouble. But if he posts the link up on slashdot claiming the story's about linux, emails it to 1000 people, prints the pictures and mails copies to the police, then he's definately guilty. Here reuters found it and published it to get a story out of it. They acted on it and gave away something that wasn't theirs.
here.
Please note that they are using Lotus Domino as their web server. This means that there are no physical directories that you can chmod or "look into".
The URL contains the Domino internal document ID (similar to a GUID) and I still can not understand how Reuters "guessed" that. Sounds to me like this is an internal leak...
Hello! We have been informed by our lawyers that we need to attach some sort of warning to this financial statemtent. So here you are: If you are under 18, are not an employee of Intentia, or are working for a major international news organization, please don't read it. Thanks!
One of the defendants in the Petswarehouse case was accused of "hacking" into the petswarehouse site. He did this by altering one digit of a URL.
After he placed an order, it sent him to a page that was a simple URL that contained an order number. That page displayed ALL of his info, including credit-card number. He decided to see what would happen if he changed a single digit in the order number. Imagine his suprise when he saw some other customer's order complete with CC number!
Petswarehouse actually tried to get the FBI to charge him with computer crimes for this amazing display of L88T HAX0R skillz. (sorry, I suck at hacker speak!)
For info about the case, see:
http://petsforum.com/psw/Docket.htm
URLs can contain session data such as usernames and passwords for processing by cgi-scripts, in which case meddling with those can be seen to constitute hacking.
I'm sorry if I haven't offended anyone
Our vision is to become the leading global collaboration solutions vendor by supplying our customers with tomorrow's solutions today.
Well as I see it Reuters only kept in line with their philosophy. So why are they pissed?
It's their own damn fault if you can type a 2 in place of 1 in www.sweetass.com/jailbait_1.jpg
Would it be an illegal act to connect to someones smb-server, as user anonymous, and download files from his/her harddrive too? A lot of people share their entire disc without even knowing it, as windows turns smb on by default (at least it did when I last used it, win98).
Hey! That's my sig you're smoking there!
Smith said "This is an outrage, no one has ever seen me before, my house is almost impossible to find, I just don't see the need for curtains or locks."
Read reviews of shopping cart software
So, let's say someone voluntarily typed http://goatse.cx in their browser and hit the "Go" button -- would they be considered homosexual and/or an outcast?
A similar thing happened this year with the UK's booker prize
The winner.htm page was up before the winner was officially announced, not a difficult url to guess.
I just wish I'd placed a bet on the results, as the "Life of Pi" did indeed turn out to be the winner (note: it's not a novel about maths).
Soon the yuppies will start sharing stolen earnings :)
reports, just like people share movies and music
before it have been released.
Seriously, if you put something 'secret' online and
don't protect it... you're the one who screwed up,
not the person who downloaded it.
All these companies seem to think that the Web is like a magazine: their neat little layout is all anyone should be allowed to use. But they forget that the Web was intentially designed to facilitate deep linking and URL-typing for the purpose of transparent information exchange. They don't get to decide the layout and presentation of the data once they publish it so that it is accessible through an URL.
There is nothing about implicit permission to view here. I assert that they are EXPLICITLY granting permission to any and all to view the document when they publish it via a non-password protected URL.
That is the very foundation of the Web...without it we have interactive television.
The browser did not return: 403 or 401 and then they CRACKED their way in, they simply found an URL. That's where this law would come in.
What these guys did amounted to publishing an article in a magazine with the first page of the article being: Do not open until (date/time).
Now really, how are people going to take that seriously?
I am the Barber of Seville.
Seems like ther're fighting over the wrong thing. The issue is not that the information could be found on the website and that they though that security through obscurity would protect it. The issue is that company report information is price sensitive (i.e. it affects the price of the stock) and should not be made public until the company is ready to release it. Reuters know this, they deal with it every day, and should not have released the information until the public announcement was made. Unless this info is released to ALL distribution chanels at the same time it can create a scenerio where some users are able to make trade decisions prior to the res of the market. This tends to be called insider trading.
All those moments will be lost in time, like tears in rain.
Did it mention in their earnings report how they managed to cut costs by having the janitor double as the system administrator?
The correct analogy to use here is not "it was an open window" or "a door that wasn't locked".
The correct analogy is the free information handout kiosk. Somebody put somthing at the Kiosk sooner then they meant to, but behind a different handout.
It is funny how the Slashdot crowd can use double-standards. It is ok to get the files that are publically avialable from an internet-site, but it's NOT ok when direct-marketeers get their e-mail-addresses from their public websites.
Funny that is...
Of course... This *IS* slashdot..
I completely disagree.
From what I gather from the posts on here, it seems that these guys have a webserver with little to no security on it. If you use a basic webcrawling program, it likely jumps from link to link, which is what we expect AOL users to do online. However, a good web crawler will also check the directory by default as well, to see if there is an index (I've seen some of this in MY referrer logs).
Given that this was sensitive data, it should have been protected. Claiming that it was by not publishing the URL is like sticking it in a window of a building with thousands of windows. Eventually someone may see it.
Your analogy of the credit card numbers would be valid IF they had swiped a password to get to that point. But the server didn't ask for authorisation by any means. It was happy with a basic URL. There's nothing ultra-special about the URL to suggest that it's attempting to be hidden either. I doubt the location was intended to change, but to just be linked to.
Basically, Reuters has provided good reporting using the skills available to anyone with a decent wewbcrawler who has a set list of websites to follow. And if they didn't get it that way but got it through an anonymous tip, that's classic reporting.
The power of accurate observation is commonly called cynicism by those who have not got it. - G.B. Shaw
I'm not sure how much security went up since this article was published, but I've noticed that since this was broken on Slashdot, a bunch of security has started to be implemented.
At any rate, the URL that was used to reach the file wasn't that cryptic, it followed a pattern that HAD been used before. It's only logical to try to reach that, especially if you know it's coming time for them to publish again.
The power of accurate observation is commonly called cynicism by those who have not got it. - G.B. Shaw
Exactly. This is equivalent to leaving a document pinned under a table on a street cafe (or under another note on a notice board). You're not advertising it's location, but if you find it, there is nothing stopping anyone from reading it.
A public web server is a publically accessable location, if you give out your "private" documents without access control, no matter how obscure your filing system, then you have no expectation of privacy.
How about another example:
I place an unmaned, unguarded, unlocked filing cabinet in times square. This filing cabinet contains information that I encourage members of the public to access. My bank account pin is stored in this filing cabinent under (SKGAKYG@&^KJH). Do I have any right to expect my bank pin to remain private? Does it matter if the filing cabinet is in a publically accessable area of my company? I would say no and no.
If you throw 'financial results embargo' at everyones favourite search engine you'll find a bunch of press releases that have been made available in advance of the nominal release time - my understanding is that this is often done so that information is available at the same time to everyone regardless of the news service they subscribe to. It feels somewhat odd if the companies involved haven't in fact been been doing this, but there may be some quirk of Scandinavian legal practice involved.
A bit odd, too, to find Reuters doing something that raises questions about their operating methods - most of the time they're keen to promote themselves as dependable partners of the companies they report on. They're undoubtedly feeling the effects of the current market storms themselves: perhaps a few corners were being cut in the effort to be first with the news.
Isn't it possible that Reuters had a bookmarked link to this URL? I know they say that it was unpublished, but maybe they had done redirection in the past, and Reuters bookmarked the redirected URL?
While it may not be illegal to actually view and read this information, its potentially creating a conflict of interest for investors. If this was an earnings report published before its intended publication date, people will trade off that information. This could create a situation similar to insider trading.
And regardless of this, if it is proved that Reuters did this intentionally, they are totally at fault. They know this information affects the markets, and that the information gives their clients a (potentially unfair) competitive advantage.
If Intentia had an obvious Earnings Report or financial press release procedure, Reuters should know they will potentially be held responsible for releasing false information.
What if this wasn't the final Earnings Report? Than Reuters would potentially affect the trading of Intentia stock based on false information...
I do not think that Reuters actions were wrong. In fact I use bookmarklets quite a bit with browsing, and I like when URLs are predictable.
However, I wonder: What if the URL in question had been something like "ftp://username:password@ftp.whatever.com/"?
This will be a good precedent to cite when some other company decides to sue for spurious reasons.
Welcome to PR Whoring 101(tm) - all you need to know about getting PR in any way possible!
Sign up today to learn about the latest and greatest techniques - used by other companies on their way to bankruptcy! Highlights include:
- Learn that all publicity is good publicity
- Suing for Slashdot Coverage(tm)
- Turning your PR nightmater into a money-making machine
There is no need to worry about your company's uncertain future anymore. With "PR Whoring 101", you can get your company back in the limelight today.Learn how to use groundless lawsuits today to attract the public's attention! Remember:
No PR Is Bad PR!
Happy customers include: PetsWarehouse, Overture and SearchKing!
Join today.
It's pretty easy to fiddle with these things. Fusker does the same thing as the one mentioned in the other reply.
That's why breaking into someone's house is "breaking & entry." Even if you don't have to break in, entering is still criminal.
Except a public webserver is nowhere near a private property. The page was put on a webserver in order to be published.
Very appropriate sig on the topic by the way. And an addenum to the sig: "show a man slashdot and he is lost forever".
"The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.
Yeah - no shit Sven, IT blunders with sensitive information tend to do that.
But hey, just to make sure that everyone's confidence in your company is shattered, why don't you do the American thing and file a 'It can't possibly be my fault' lawsuit.
__ Someday, but not this morning, I'll finally learn to use the preview button.
Under whose jurisdiction will this be decided? America's or Sweden's? Intentia filed charges with a Swedish criminal investigation bureau, but I doubt the "offense" by Reuters representatives took place under their jurisdiction, even it if did involve access to their servers.
There will be many precedents set in coming years regarding remote access potentially as though it were local, and it will be interesting how those chips stack up.
While Galeon very well may, Mozilla does not have an up button. However there is a feature request for one open in the bug tracking system. If you want it too, help fix it or at least vote for it!
Cheers //Johan
Installed the Bubblemon yet?
...a script kiddie managed to hack into Hotmail's servers using a widely distributed hacking tool known as "Internet Explorer". The hacker typed the "URL" into the "Address Bar" and gained access to the site.
From here, the hacker sent emails to a number of associates which read: "| 4m teh 1337 |-|aX0R!!!!!1 j00 4LL ArE Cr4P!!!"
"Frankly, we're shocked," said one Hotmail employee. "Who would have thought that URL's would give access to sites on the interweb?" he continued before returning to his task of spamming Hotmail's users.
The FBI are investigating the hacker, rumoured to be in junior high, as well as the distributor of the hacking software, a small company known as MicroSoft, already known for flouting the law. Updates as they come to hand.
If someone does not want people to look into their house/website it is their own responsibility to take actions to prevent people from doing it, by closing the curtains/by using .htaccess etc.
When you are sure of something, you probably are wrong (search for "Unskilled and Unaware of It").
"... using an exploit in the web server".
"Exploit" is supposed to mean that Reuters did something more, than typing URL, isn't it?
Intentia's IT staff just plainly sucks.
"The site www.intentia.com is running Lotus-Domino/0 on Windows 2000".
OMFG. What a crap.
Don't you EVER do any business with Intentia.
If the jury finds Reuters guilty (for accessing publically available information), can they please also convict the party responsable for creating the tool used in this dastardly deed?
;)
Sorry, I couldn't resist
The closest 'real-world' situation that I can imagine is someone sat in a public place reading a document with "Top Secret" written on it. Would this document be considered "public property" as the person was reading it in a place where anyone could easily read it over there shoulder?
I would have though that the bigger story here would be that Intentia has released price sensitive information before they should have done by making available from non-secure download their Q3 results. There are lots of regulations that mean companies get in to a lot of trouble for leaking their results ahead of time. I think Reuters did us all a favour for highlighting this security risk.
Martin Piper
Owner - ReplicaNet and RNLobby
Here's another deep link to Intentia
__ Someday, but not this morning, I'll finally learn to use the preview button.
Any judge should throw this case out. This is like leaving a nice, sensitive report laying in the sitting room of an office; then prosecuting anyone who read it. The report should have been kept in a much more secure location that a public webpage if it was of such sensitivity.
1 tequila 2 tequila 3 tequila floor
If Reuters is found guilty of "hacking" a publicly accesibly URL, what would that mean for all us piss poor typists who enter the wrong address in the location bar and end up somewhere they shouldn't have been?
Time is what keeps everything from happening all at once.
A couple of years ago, we had submitted a bid for a (substantial) research contract. The results of the bid were held in the website, but were easily reached by typing the correct URL. Indeed, we found out about it just by using their search engine, which did index the offending pages. We were aware of the bid not being succesful (sigh!) about a week before the official announcement. It was a bit embarassing when at the official announcement most of the institutions who had not been succesful had all had a good excuse for not turning up :-)
The 'softies were already antsy since when they called us all in for 'an important meeting', I had replied "Oh, is Bill finally buying us?" and this episode basically put them over the hill.
I quit on that day. Not because of this incident, but because I didn't want to work for Sauron.
[1] That was one of the more imaginative company names suggested for the buy-out of Commodore, back in the day. THPC and Barney the Dinosaur. :-)
Money for nothing, pix for free
I'll bet the next run of this story is about how some company pre-publishes a fake negative report at a non-disclosed (but guessable) URL on their web site and waits for Reuters (or someone else) to pick-up the story. Then, when the actual certified results are published, Reuters has a lot of explaining to do (as well as a few legal charges to answer.)
The next extension, of course, would be for some low-paid webadmin to game some auto news site (news.google.com comes to mind) as part of a pump-and-dump strategy (or would that be a cry-and-buy strategy?) to make a quick buck.
Do you trust your news source?
Do you still trust Reuters?
A new kind of meat designed to appeal to vegetarians.
whatever the password is, if you guess a password or the password is published on a web site or whatever, it's a crime to use it.
the root access is not for you, you must not use it by law.
it's like not locking your house - nobody may enter your house without your permissions, regardless of the lock in your door.
Couldn't "finding" a "hidden" URL be viewed as "defeating a measure designed to protect" protected works?
Given the prevalence of security (heh) through obscurity in suit-driven IT, that means a great number of idiotic prosecutions in the future.
I don't know about other /.readers, but I know I often do things like peruse HTML source to extract URLs to work around broken/incompatible javascript gunk and such. If those were meant as "protection" does that mean I'm now commiting a horrible crime?
I can see IE-only vbscript or somesuch being used to force people to access resources... scrary.
-- MA
Reading this, I was first unsure of what the wisest handling of this would be: Should I keep my head down and let this blow over or stick my neck out and admit to being a swede?
... let's say 'common-sense-challenged' people.
My conclusion was that the only thing I could do was to come out, expose myself as being related, if only by nationality, to these
My deepest apologies on behalf of the rest of us swedes who do actually have some of our braincells intact and active.
/Eddie
when I created my web-pages... It is annoying that they have turned up recently. I doubt that removing my web pages now would cause me to disappear from spam lists.
This is clearly ridiculous.
They published it by putting it into a directory from which the web server could serve up documents. End of story.
The arguments about "but that means burglarly is allowed if you have no security" are completely specious. This has nothing to do with security. Through deliberate action, or even accidentally, they made the document publically available. It's as simple as that.
thomas.ahlerup@intentia.se
to let him know. At the least, you might provide a security consultant with some work explaining the utter uncoolness of posting data to a public site until it becomes, er, public. I hope Reuters considers counter-sueing over the possibly libellous statements published on the Intentia site. This sort of thing annoys me as much as the people who get drunk, trip over the edge of the sidewalk, and then sue the authorities because one slab was raised a few millimetres.
IANALBIBOU (I am not a lawyer but I brought one up)
Panurge has posted for the last time. Thanks for the positive moderations.
.. i'm a hacker?
where would the line between hacking/not-hacking go?
like, some things like this appear on google too, would that make using google search hacking..
geez.. what if i put up www.poikspoiks.com and didn't advertise it, and didn't properly set up the access before premier.. accuse somebody for hackin?? yea rite.
world was created 5 seconds before this post as it is.
http://www.intentia.com/w2000.nsf/files/kjafd_0210 _us.pdf/$FILE/kjafd_0210_us.pdf
Now will someone who reads the relevant language tell me what, if anything 'kjafd' means? Links to other reports were all in a very similar vein, although the 'kjafd' part changes in a nonobvious pattern.
"Evil company X is threatening to restrict our rights! Let's all get together to stop--OOOH! SHINEY!!!" -- AC
Sheesh. Where'd they put the file? in public_html?
Wansu, th' chinese sailor
People, if you put a document on a PUBLIC SERVER with no authentication then it's fair game. If you don't want the public to see it, don't put it on a public server, or require a password to access it. If you don't do that, don't go suing people over your own incompetence.
assert(birth_date<time-86400)
Whenever you have mainstream, suits, greedy , and retarded judges making laws to control the web. Your going to have more and more retards out there whining and bitching as time passes. I do not see an end to the lunacy except to train the retards. Which is probably impossible, so were all fucked.
What if I open my browser for the first time (probably for the session), and typed in the URL. I still dont know if the page has a link to it, so am I possibly doing a criminal act? How about when i want to go to a company's site, or a product's, and i guess the URL. Then? This, my dear people, is just plain stupid!
-- All true wisdom is found on T-shirts.
Just because my bathroom window's open doesn't mean you have the option of crossing the street, sticking your head in, and seeing what I'm doing in there. Sure, I screwed up -- I left my window open. But it's assumed that it wasn't my intent to display my wares to passers-by.
Intentia screwed up. It posted private data to a public network. Reuters knew that it wasn't Intentia's intent to release that information (yet) but still persisted in obtaining and releasing it to the general public. You could argue that Reuters was displaying savvy journalism.
I argue that Reuters displayed journalistic irresponsibility. Quarterly financial results can (and often do) change at the last minute. That's why companies set a release date, and publish earnings not before that release date. (Sometimes they'll even delay the release a few days, to straighten out something particularly hairy.)
Did Reuters break any laws? That's for a court to decide. Did they abandon their journalistic integrity? I think so.
The cure for cancer is coming: Reovirus
Ex-CEO: "Yes, I know I left the Company's secret documents on my window sill that faces the sidewalk, but they had to press their face against the window to read it!"
Judge: "Idiot"
Just because you're paranoid, doesn't mean they're not after you!
It's THEIR website.. they can put anything they want on it, without it being accessbile by everyone. This is so stupid its just sad. Do you think they'd of got sued if they password protected it? I don't, but yet the result is the same, not everyone can access the report.
what actions are they taking internally? Firing the relevant IT staff? Implementing new security measures? If nothing, then i smell a PR stunt.
If I were running the company, my first reaction would be to identify the security problem internally.
Ummmm *cough* *cough* chmod 700 *cough* *cough*
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
you had to know, or guess, what address to type in order to retrieve it.
Does not listing a library book in the card catalog mean the book is classified, private information? What if someone released movie to the theaters, but didn't advertise or put the show times in the newspaper?
This is just a silly company wanting laws to cover their idiotic mistakes. It's easy enough to store your unreleased earnings report somewhere besides your live webserver.
$8.95/mo web hosting
you had to know, or guess, what address to type in order to retrieve it.
If you didn't know the URL and were trying guessing it - wouldn't that be technically considered hacking?
Frankly, this is a pretty bad way to get your name out - an IT company that doesn't understand the web any better than this? I wouldn't hire them to do anything, they sound totally incompetent. But they say any publicity is good publicity...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Anything put onto a web server, that can be accessed from the internet without any security (password, etc), should be considered "in the public". The report was available, even though there weren't links to it.
It'd be like having a store, with a big display covered by a tarp, and no employees around. If someone came into the store and peeked under the tarp, is it Breaking & Entering? I don't think so...
Ed Wedig
Graphic design services
docbrown.net
My lawyers will be contacting Intentia re licence fees for their use of my invention -- URLs that are publicly accessible, but not actually linked from the site's index page.
(Proof of concept published Sep-07.)
The really sweet thing is that once they've paid me, they can use the DMCA to go after Reuters, since clearly it's a technological protection mechanism they've circumvented....
Nordea has acknowledged that parts of the report were mistakenly put on its Web site.
Two options: either (a)Nordea is using "content management" software that pushed this earnings report to production, based on its workflow tools, without any of the contextual links, or (b)the Web team decided to rely on a blind url in the place of real security because some clueless executive was in a big rush.
Ahlerup wouldn't comment on whether the company had made market-sensitive information available before it was released.
And we can't tell which.
I get requests all the time for demos to be put in "blind" directories on an existing server instance. Usually it's a rush presentation or something, a sales pitch that needs its own demo site in a hurry. There's no way in the world I'd do it with sensitive data on the splinter site, though. Not a chance. It'd be extremely negligent.
On the other hand, if the problem was with their "content management" environment, then someone's screwed up designing the publishing "workflows." The earnings report should have been contingent on the rest of the release, not a separate distribution. Some of that software is pretty bad about publishing date windows and contingent relationships, though, so I can see it happening.
"We want the authorities to test what can be considered to be private or public," Ahlerup said.
Floating a legal trial balloon is fine, okay. But it's time to revamp your web support team, not sue a news agency.
"Fundamentalism" isn't about divine morality. It's about human authority.
Publishing an earnings report before the company announces it is still rude, even if it's not technically illegal. I hope this case is thrown out, so as not to set a precedent, but I think it was a lousy thing of Reuters to do. It's one thing to guess URL's and obtain advance information for your own personal use; it's quite another to publish it to the rest of the world.
-John
A danish company (http://www.valus.dk) presented last spring an eletronic wallet that could be used for paying small amounts on the internet.
....
F -8 &threadm=aokrr5%24lr9%241%40tux.netsite.dk&rnum=2& prev=/groups%3Fhl%3Dda%26lr%3D%26ie%3DISO-8859-1%2 6q%3Dwww.valus.dk%26btnG%3DGoogle-s%25F8gning
/Anders
On a chatboard hosted by the magazine www.computerworld.dk their safety was diguessed
Soneone posted that entering http://www.valus.dk/badscript.asp?x;shutdown would shutdown their server.
Anotherone could'nt resist testing whether is was a joke or not, so he entered the URL and the server shutdown... He tried it again the next day and it went down again
A few month later the police knocked on his door, confiscated his computer and he is now charged for "hacking".
The argue that he should have known that the above URL would shutdown the server (he was told in the chatboard) so it was a deliberate DOS attack !!
Try a search on groups.google.com for www.valus.dk
i.e
http://groups.google.com/groups?hl=da&lr=&ie=UT
or
http://www.snakeoil.dk/kommentarer/20021028-1
Circumvention of an effective access control device.
Having a "secret" URL could be considered an access control, if it is secret and sufficiently non-obvious, it would also be effective.
By determining that secret URL, they have bypassed the access control, despite the trivial method, this could be considered unlawful access.
Poor security is not equivalent to permission. But not taking reasonable means to protect yourself is irresponsible.
For example some insurance companys don't cover stolen cars if the owner left the keys in the car.
Perhaps laws are different in sweeden than north america. I really don't think that this would even get to court here.
This is a prime example of a company lashing out at an external agency for a mixup that the company made and won't admit to. I wonder if anyone would have noticed at all if they hadn't called attention to it...i sure wouldn't.
It seems to me this is pretty cut and dry.
Q: What were the file permissions on the file?
A: [various others] & readable by all.
Q: Did the file exist in a directory that was readable by all?
A: Yes
Q: Was the world readable directory visible to the webserver?
A: Yes
Q: Did the webserver restrict access of any of it's files (via whatever means)?
A: Possibly
Q: Did the Did the webserver restrict access of the file in question(via whatever means)?
A: The file resided in an unpublished directory.
Q: Again, for the record, was the directory world readable?
A: Yes.
Call on expert witness:
Q: How dificult is it to restrict a file's visibility to a benevolent user of a website?
A: It's trivial.
Q: Is it common practice?
A: Yes.
I rest my case.
Thousands of readers of a popular, yet poorly designed open source friendly news relay site are being sued by the OSN for directly typing in the web server's domain, with out instead following a link to it.
Slay a dragon... over lunch!
There was a similar case in Australia a few years ago, so please forgive me for not going into great detail, as my memory is no longer photographic.
n ={his-tax-file-number} and wondered how good the security was. So of course, he types in another tax file number in the address field to test it.
It seems there was an Asutralian Government site for information about your tax status. You entered your tax file number (same as the US SSN), plus a little more information to verify your identity, and then were shown a page with some tax information of some sort.
One man noticed that the page he was eventually directed to was http://somethingsomething.gov.au/something.asp?tf
BLING! Someone else's tax information pops up! No security at all, someone had just dumped this simple database-access script on the web for all to see! He tells someone in the tax department (big mistake) about the security flaw and POW a piano falls on his head. Metaphorically speaking.
Are there any Aussies in the audience who remember any more details about this one? It was at least 3 years ago.. can't remember the final outcome.
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
Whitehouse
Washington D.C.
USA
May I please have the secret documents on taking over the world?
[Bush]Donald...You didn't actually send the documents did you?
[Rumsfield]Well...
"Your honor, I never published my email address... This man is guilty, and the court should make an example out of him...
For us carnivores, "Sucking the marrow out of life" isn't a transcendentalist philosophy but a practical instruction.
...then it's public.
I'm thinking that Swedish company needs to access
http://intentia.com/get/thehell/over.it for an attitude adjustment.
This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
why would Reuters go through any trouble at all to hack into some little known company's web site in order to publish their financial numbers a few hours early? I'm willing to bet someone gave them the link too soon, put up a link too soon and then took it down, or Reuters just added the appropriate date onto the URL for last quarter's web page.
The truth doesn't care what I think.
.htaccess .HT freaking ACCESS !! For the love of God someone pull the head out of the admin's ass before he suffocates in there!
Please send your out-of-court settlement to: [suppressed]
--
bachiatari na torisetsu o yome!
By the same logic, it would be considered hacking to type in a domain name, such as beta.slashdot.org, before somebody was "ready". This is ridiculous.
I used to work at a company which used (at that time) a particular dynamic-content-management system (the name escapes me just now). At one point, one of the emails we received from a site visitor informed us that one of the big search engines had somehow (though no link existed to it ANYWHERE) managed to spider the admin page for that system... which was completely unprotected and included such information as our license key for this very expensive software.
To this day, I have no idea how that URL ended up on the search engine, but it just goes to show - if you want something protected, put a PASSWORD on it. Sheesh.
Or should we have sued the search engine for finding that link? Or the user who kindly reported it to us? Sorry, Europe. It looks like 'our' enjoyment of frivolous technology-lawsuits is starting to rub off...
... "I read part of it all the way through." -- Movie Mogul Sam Goldwyn (and some slashdot readers)
Oh shot, I dialed a wrong number and heard a message announcing your earnings. File criminal charges quickly!
"Look people, Reuters, the friendly neighborhood news outlet, is EVIL! We, the small unknown firm that wants YOUR money in exchange for vapor services, are the VICTIM. And now we're all over your web, print and tv news, time to watch the stock ticker go up up up!"
This world is run by idiots and their money.
-Billco, Fnarg.com
It all boils down to this. Can a webadmin expect a document whose URL is not published or linked to indicate that it is off limits... Conventional web wisdom says it is not. If the directory had autoindex on plaintiff has no case and the case can be dismissed with prejudice. Otherwise there is room for some legal games but it will be still very difficult for the plaintiff...
BTW IANAL
If I'm right, and if the judge sees it too, look for Intentia to win the case and get damages of $1...
Swedish courts traditionally award far less damages than their American counterparts.
Look for something more along the lines of 1 SEK (= 1/9 USD)
;-)
And if you ask me, thats a lot more than they are worth.
"First lesson," Jon said. "Stick them with the pointy end."
When I type in an URL like www.comics.com I am essentially
"guessing" that this URL exists and contains what I want. If
it doesnt I move on. Essentially any URL I type in is similiar
to this. Now, www.comics.com cannot put their most confidential
stuff at this page and then sue me for not following links.
(links from where?)
There is no rule that accessing pages that are available to my
web-browser are violation of privacy because the web server is
present exactly for that reason: sharing what you dont want to be private.
The bottom line in this case is very simple. Its _my_ freedom of action
to type in _any_ goddamn URL I want, in _my_ browser.
If some moron in their company doesnt know the difference between
their web-share drive and the company private drive, they need to fire him/her.
The company site quotes: "The incident has severely damaged confidence in us as individuals and in Intentia as a company" and I am amused by this. YES thats perfectly true.
Any company that handles up such a vital information in such a careless manner
DOES NOT deserve much confidence or credibility and they are just proving
themselves that they are morons. But instead of accepting their shortcomings
they are raving like an infant.
I think the key to their charge is the allegation: "The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters."
Which pretty much sums it up. Is it illegal to type in any url I want in my browser and
view the contents ? I just hope that the verdict is a slap in their face
and doesnt set any idiotic precedents.
DO NOT PANIC
By defintion putting a file in a "world readable" directory and setting the permissions to allow world access kinda implies that you don't care who reads this. Otherwise - why in the world would you allow this kind of access? If you place it in a world readable directory, you have no businness complaing the world can read it.
If religous zealots don't believe in Evolution, then why are they so worried about bird flu?
I like the sound of what you say, and I generally agree, but I'd like you to consider the following observations in a reply, if you would.
You say:
This isn't exactly true of public-key cryptographic systems, is it? I mean, I suppose you could consider the public key as the "shared secret", but the point of it is that it can be public. On the other hand, the address (whether it be a memory location or i-node number or URL) of a byte range (protected by encryption or not) could be considered privileged information as a matter of policy, and would then constitute the shared secret of which you speak. Unfortunately, I don't know if this argument would be accepted by everyone. Let me try to reason along the same lines as you did and see where that takes us.
Now, given that some instant messaging client has used buffer overflows as a normal part of its operation (which one? I forget) and that programmable web interfaces (where, depending on how you look at it, you're supposed to do stuff that the service provider didn't anticipate) are all the rage now, does the foregoing still hold?
seems to me that if you set the permissions on a file to be world-readable, you're giving the (hang on here, this is a big jump in logic) world permission to read it.
It's probably too late for this to do any google, but here's google's take on Secret Websites and URL guessing (from their webmaster's FAQ)
IMHO, If you put something out there, and don't restrict anyonymous access, the information is freely accessible. Access is implicitly given - you can restrict access, not grant it.If you blog it...
Monday filed criminal charges against news service Reuters PLC for obtaining an earnings report from a Web page it considered private.
If I consider something private, that does NOT make it so. If I put nude pictures of me on the side of my house and say "these are private, do not look at these" does NOT mean they are private.
Idiots.
If you do a Google search for intentia results, at least one early entry points to the Intentia 'press room' containing an earlier quarterly results announcement. The announcement page itself does have a 24 bit hex ID number in the URL (BA45EE etc) that would be hard to guess for a new quarter. But on the announcement page is this link:
Now the URL (which no longer works, natch) of the PDF file being linked to: is extremely easy to extrapolate to subsequent quarters. I have no doubt that's what Reuters did , for this company and many others with similarly easy naming schemes and early uploading schedules. And I have no doubt that other journalists pull the same trick. In this case, a company with results they'd rather nobody noticed has jumped at the opportunity to change the subject."Our mission is to pursue the perfect partnership, providing security in our customers' transformation to collaborative business models."
They didn't need to 'publish' ther Q3 report to make thir clients loose confidence, i think the first page of their website said it all.
Furthermore, it is the job of a new agency to unearth news. The put spy cameras in brief cases, the send reporters to interview angry people, they employ police scanners, and they peruse corporate web sites, looking for news.
If you're daft enough to give your quarterly report, or whatever, an easilly guessed name, and place them at the disposal of a piece of software for publishing documents, you're going to have news agencies find it.
On three of those windows I have a big sign at the top that says "Jobs, Please Read" another with "Sales, Please Read" and another with "Press, Please Read". The windows are plastered with information that you would expect under those headings.
The fourth window is clear and has no sign.
One day I plaster an important and confidential message to the fourth window, in a lower corner and in a small font.
Are the passers by who bend down to read that message breaking any law or even any ethical code for that matter? If they talk about is it wrong?
And the guy who took it from the shoe did steal it. It is called "conversion" and the owner is entitled to sue to recover the property.
... it ain't trespass! Sending e-mail isn't trespass since they let the mail into their boxes.
If you are a dumbass and tape a $100 bill to the windshield of your parked car, and someone takes it, that is theft and conversion. It doesn't matter if it is "protected" or not. It is your proerty, and no one has the right to take it and covert it to their own use simply because you didn't "protect" it. Hell, the contrary to this is what SPAMMERs argue... it's an open relay, so I can use it, they didn't lock me out,
I agree with you completely and have made this same point on the deep linking issue.
The plaintiffs in this case chose to hook up a server to a network. They chose to assign it an IP and a DNS name to facilitate network connectivity. They chose to install web server software. They chose to configure that software to respond to HTTP requests for files on port 80 of their outside IP. They chose to start their web server. They chose not to use any of the myriad of standard security mechanisms such as firewalls, authentication, access controls, encryption, etc... that could have secured their file. They chose to put the file in question in the directory the web server was configured to publish to the outside world.
Then Reuters asked for the file via an HTTP GET request and the machines followed the instructions they were given and provided the file. It's kind of sickening that this argument isn't laughed out of court.
What if this happened at a library... Imagine the company published its earnings report in a book in a public library and someone checked that book out. Was a crime committed? Same exact principle to me. Maybe the case isn't as plausable but still...
Let me get this straight.... Intentia has a server that is full of files for the public consumption. Every file on that server is intended to be viewed by ANYONE. They then upload another file to the very public server, but THAT file will be considered 'hacked' by anyone who reads it before they announce it's release.
I hope to hell they don't have anyone's credit card numbers stored anywhere.
http://www.intentia.com/customerinformation.db
You are absolutely correct, and I verified this using Google.
Do the following:
Search on "Intentia quarter results" (no quotes)
click on Cached for "[Intentia] Intentia's Second Quarter Results 2002"
Find where it says "::: read the full report" and look at the URL.
It's not only not illegal, but it's common sense. It's as if Intentia was saying "This is where we put our quarterly results, so come back here later and get the Q3 results when available."
Send them an email, and tell them how stupid they are. Unless you actually believe this was an intential marketing ploy (which it may be).
Am I the only one who tried this URL?
Yes. Loser.
Nope, no sig
Am I the only one who tried this URL?
No. I am such a loser.
Nope, no sig
Judge: "So the file was on your webserver?"
Plaintiff: "Yes, your honor"
Judge: "And you're mad because your webserver served the page?"
Plaintiff: "Yes, your honor"
Judge: "Ummmm, what did you expect your webserver to do?"
Plaintiff "Uhhhhhhhh..."
Judge: "Next case bailiff"
Total Time: 7 minutes
Think hard about AC's question... they are both URIs that are typed in, and both produce undesirable (for the server owners) results.
True, AC's might exploit a flaw with the server itself while the one in the posted story simply access unlinked content, but how would one explain that to a non-technical user like a typical judge/jury?
Either way, this could turn into a bad, bad precident.
Many sites employ Easter Eggs which sometimes require the user to guess at the URL. It's common practice and it encourages experimenting. If the report that was accessed was on the Web Server in a publicly accessible directory then I don't know why they think that they have a case. Many times when I'm stumped about a broken link I'll try and figure out what the correct link should be. If I leave a folder with confidential information in the Cafeteria of my companies building and someone opens it up to read it does that make them a criminal guilty of Corporate espionage?
The problem here is that Financial data with the Company's credentials are being released to the Public, at a time not of the Company's choosing.
If the person who discovered the information kept it private, but made stock trades with the Company, we call that Insider Trading, and the person would face jail time. In this case, the person discovered the file, and released it under the guise of being "official", simply because it was located on (a non-referenced portion of) the Company's site. In effect, Reuters was pretending it was an official release.
A secondary problem is that a production system (the external web) is being treated as a test environment, by loading data into the folders but not linking to them. Anything on a production system can be accessed by anyone, and if the Company was not ready for that data to be accessed, then it shouldn't have been placed on the server until the minute they were ready to release.
Here's another scenario: Suppose a week ago, the Company began setting up for their earnings report. They put a copy of their earnings on the web, but did not link to it. In the mean time, the data became stale because of an error discovered in accounting. The file was not updated, because it is not linked to, so the world does not know it exists. Reuters now guesses the file, and publishes the link. The data is an unauthorized release of stale data, but it is being published by a source claiming it is official data. Outside investors would see the stale data, and would make costly financial decisions based on the (unknowingly false) data. The Company's stock could plummit, and severe losses could ensue. Plus, under recent disclosure laws, the Company's CEO could face stiff fines/jail for falsifying data.
So, both groups are guilty, the webmasters for not securing the data, and Reuters for unauthorized disclosure. I agree they should be sued, not for the simple act of "linking", but for falsifying the announcement of an earnings report, and let the SEC sort this one out.
Interesting. I'm under the lawyer-induced opinion that content deliberately made accessible via a URL on a publicly available server is just that, public. The URL is key, of course, the argument being that if no URL points to something, that "something" remains private.
That falls apart when other files, not meant for public consumption, stashed in the same file system, are accessible via a little creative editing of a published URL.
Is it a privacy violation to go fishing on a public server to see what else is lurking there?
-- Slashdot: When Public Access TV Says "No"
...is you have got to be freakin' kidding me! Someone please tell these people they are way too stupid to use a computer!
My college protects grades a similar way before they're released, last semester I started publishing a form in my web space (hosted on their server :)) that allows you to get your grades (presumably) as soon as they're scanned in, several days before their intended release. I don't know if anyone on staff noticed and/or cared; it may be that the official release time is just there to prevent complaining about "she got her grades before I could". All that was required to make the form was stripping down their grade submit page and changing one of the options in a select.
you know, is it really so damn hard to write an a href? is your time so valuable you can't spend five seconds in order to spare a thousand slashdotters theirs?
and now, icing on the cake, the fucking link doesn't even work.
Do you think it's legal to sit there and type in all the possible combos of http://login:password@www.mysite.com ? No, of course not. Then is it legal to sit there and type in all the possible combos of http://www.mysite.com/secret/annual_reports/xxxxxx xx.html ? No. Both are a secret and guessing that secret is akin to accessing it in an unauthorized manner. I think any url that is not specifically linked to is implicitly off-limits.
adam
You have been Reuted!
It all comes of allowing the very stupid to hire lawyers.
"Everywhere you leak, the world hangs a bucket."
The company puts their earnings report in a tree trunk in the woods. Reuters tells the world wheret to find it.
The action of telling the world can hardly be illegal. Possibly the way the information was originally obtained could be.
Tor
Since you can't type in a URL without using a keyboard, obviously keyboards should be banned as an "anti-circumvention device". Fight link theives, ban keyboards!!
If you can understand why that should be illegal, perhaps you might enlighten me.
You can find these links (NOT the actual files, just links to Apple's own site) at Apple manuals though presently they don't work, Apple finally seem to have got a clue and put a high-tech security feature -- a password -- on access, though that's happened before and apparently pressure from their service centres is to make it easier by not having this.
Of course, most of these files are for hardware that Apple doesn't sell or support any more (Mac Quadras, eg). You can of course find mirrors of the files, and there are guys making some change by burning CDRs of them and selling them on EBay (I'd link that, but it appears Slashcode doen't allow EBay links) It's really hard to understand what their problem is with people knowing how to repair and upgrade their Macs, unless one goes with the forced obsolescence theory.
The only way they would know if they clicked a link or typed in the URL is via the Referer HTTP header. I propose a couple possible ways in which that Referer entry would not be transmitted to them, thus making it LOOK like it was typed in, even if it wasn't.
1) Out of the thousands of active browsers, perhaps they use one that doesn't send that attribute
2) Out of the thousands of active browsers, perhaps they use one that allows them to refuse to send that attribute.
3) Out of the thousands of active browsers, perhaps they use one that sent a mis-spelled referer header. As a side note, I have noticed this behavior with the "Range"/"Content-Range"/"Content-range" header.
4) Perhaps their server was expecting a slight variation of the referer header (read aside on #3).
5) Perhaps they were using an anonymous redirector
6) Perhaps they were using a Firewall that filters referer headers out
7) According to RFC 2616, "The Referer field MUST NOT be sent if the Request-URI was obtained from a source that does not have its own URI, such as input from the user keyboard." Perhaps it was coming from somewhere else that did not have its own URI.
8) Perhaps the receiving server was broken and not picking up the header.
9) Perhaps they were browing a website that used the SCRIPT tag to launch and auto-fill in the URL.
10) Perhaps they were on something like the GAIN network that launched URLs without their permission.
11) Perhaps they had a virus
12) Perhaps someone at the suing company deleted the logs to frame them.
Should I go on? I am not saying that I expect that any of these were true -- but am pointing out that their referer logs are not valid for legal submission of evidence, since there is no way the suing company can gaurantee that the URL was typed in.
http://www.google.com/profiles/malachid
to allow the maximum amount of collaboration to go on - maybe their software lets everyone see every document?
The Web is a shared information space; GET is its designated means of making a safe, side-effect free request for retrieving a represntation of a resource.
This isn't debatable; it's enshrined in the protocol --
and by the W3C's Architectural Principles of the World Wide Web (in progress) --
Reuters did nothing wrong, because it isn't the act of linking to an object that makes it available on the Web (and doing so is still, in most reasonable people's minds, protected; see the deep linking issue). Rather, it's the act of, well, making it available, by exposing an interface that understands GET and other HTTP methods as appropriate.
After all, a protocol is, in a very real sense, a contract. If they had wanted to make the resource available but restrict access to it, they could have used HTTP authentication or even cookie authentication; in either case, they have control over who gets an authentication token. GETing a URI is not illegally obtaining access, because a URI in the request-line is an identifier, nothing else.
It's very likely that the publishers were using software that they didn't understand fully, and that is poorly designed, by making assumptions about the nature of the Web and how resources on it are accessed (i.e., "people only use browsers to navigate the Web").
God, what a stupid think to complait about. You know, if that information was placed in a public server (IMHO typing an URL is not hacking at all); it means thas it's public, isn't it?. I mean, if it really was private information... why the hell they placed it in a public server?.
I don't understand this people.
They claim to be an information technology company and complain that their reputation has been damaged - well of course it is going to be damaged if you act like a bunch of twits who have no idea how to use computers. I certainly wouldn't trust these clowns after this bit of utter stupidity.
Besides even they state that Reuters only published the information after the company had officially published it themselves. And even if they hadn't, as far as I'm concerned this falls under investigative journalism and should be thoroughly protected - corps would love nothing better than to keep out the prying eyes of journalists so they can get on with their nefarious activities.
Ok wait, so I can get sued if I link to a sight (DeCSS) and I can get sued if I DON"T link to a site? Ah heck, I'm going back to writing my web pages with a pen and paper!
-Jason
So what Reuters did was smarmy, if guilty as charged. And the Swedish company didn't file a lawsuit against Reuters themselves, as the writeup claims. They reported the event and a criminal action is now pending, which means it isn't just between the two companies now. It's a government thing. What Sweden can do against a non-Swedish company depends on other, currently unknown (to us) factors.
In short, it's a morals thing. There's lots of things we can do, but we don't because it's wrong, even if technically possible. That's the real missing piece in the analysis: thinking that it's OK to do anything, if you know how and can.
What Reuters did is the same thing as if someone came to my house and looked into my window and took nude pictures of me and posted them on the Internet. Just because my curtain is open and they could see inside my house does not give them the right to make public what they found.
If I catch someone peeping into my house I call the police. When someone is peeping at things on my web server which I'm not displaying it's the same thing as looking into my window so in that situation I call the police too.
Does that mean I can sue everyone out there that has the NIMBDA virus? After all, they're all illegally attempting to hack into my computer by trying to access /scripts/..%5c../winnt/system32/cmd.exe, even though I never provided a link to that page.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
...don't play on the interstate.
If you don't want people to see your internal company data, don't put it on the Internet.
Got it boys and girls? Yes? OK, now we can have milk, graham crackers, and naptime.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
"can we assume that anyone who accesses that page has some sort of unauthorized information?"
This word "unauthorized" seems to get thrown around whenever a company doesn't like how something is used. My objection to it is that its use supposes that the company has the power to grant or deny authority to us. Reuters doesn't need to be authorized by Intentia to try undocumented URLs, nor to view public html. We don't need Sony to authorize us to play imported games on consoles that they made but we own. We don't need a studio's authority to play DVD's from a different region. You don't need Microsoft's authority to load Linux onto your X-Box.
Unfortunately, courts and other powers seem far to willing to buy into it and rule against "unathorized" actions.
Don't moderate flamebait as Troll. Know the difference or you will be Meta-moderated.
From The Register article:
However Intentia isn't alone in its accusations. Three other Scandinavian companies Nordea, the region's biggest bank; Fortum, the Finnish energy group; and Sweco, a small Swedish consultancy also claim that their results were published by Reuters ahead of their official release, the FT reports.
The obvious conclusion from this... is that Reuters is in posession of a time machine.
so -- they supply tomarrow's solutions today, but if reuters does it, it's a criminal act?
I'm going to hunt you down...
::glowers::
Posting AC cannot save you.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
If you remove the web from the equasion and think of it in terms of a printed piece of paper, leaving your confidential information in a public place doesn't seem like the brightest of ideas, does it? It doesn't matter if the piece of paper is facing down, you've still put it in a public place.
While I don't think Reuters was justified in printing unpublished information, the fault still falls back to the company.
Case dismissed.
I don't do this for karma, I do it for cash. It's much better.
internia does ebusiness.
is anyone else scared by this?
2 1337 4 u!
Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report that they sent to Reuters with an accompany post-it note that said "please publish me". The catch? The report couldn't be accessed unless you understood an obscure and arcane code called "the English language". The precedent this case sets will be interesting. If you write a report in a language that has no native speakers that actually use it correctly, can it be considered public?
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
If you visit http://www.intentia.com/w2000.nsf/pages/ you will see a list of all available documents that can go in the "frame", including press releases.
It took me 2 minutes to stumble on that, and Reuters probably did the same. How was Reuters to know what Intentia's "schedule" for releasing that document was? They probably bookmarked that index of PRs for quick reference some time ago, at recently saw something new, and publicized it.
How that constitutes "hacking" I do not understand. I put full blame on the webmaster.
Let him know what you think!
webmaster@intentia.com
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I think it is common practice to type in urls by hand. I do this quite often. It's just completely nonsense to sue somebody for information obtained from a public web server without any password cracking.
See my previous post
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Not that I would partake in something like this :) but often cracks only work on a specific software version...
Pretty common to hack the URL to get a slightly older version right from the companies website.
Hard to believe that would be illegal.. although of coarse the cracking bit would be.
www.my.com/report2000.pdf
www.my.com/report2001.pdf
and the world is waiting for 2002 report, would it really be a surprise when millions try to download www.my.com/report2002.pdf one day before the actual release? Come on, _everybody_ would do that. Perhaps one should sue Intentia for violating some stock exchange rules by not protecting the data.
Technically speaking, I'm very familiar with the server platform they use (Domino) and it's extremely secure (NSA, CIA, etc use it). For them to characterize this as a 'break in' is stretching it a bit. Domino provides security from server level down to individual user roles and fields. It's very simple to secure a file or page. Additionally, the standard procedure is to not replicate data you don't want made public to an external box, just in case you forget to secure a document.
For those of you interested in the technical/legal issues of 'publishing' the link, let's not forget that Domino has a few well-known powerful facilities to search and index content on a site... (ie: ?SearchView)
Domino Developers Site
Search URL Syntax
Documentation on R5 Search
Documentation Library
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
It depends on how hard you try to prevent the accidental access of the information. If you have been clearly trying hard to prevent the access, then you may have a case (legal recourse). However, I submit you this:
http://www.intentia.com/w2000.nsf/pages/
which is a link to all of the press releases, etc. Why this is publically accessable, I don't know. I just took the last part of a link on the frontpage off. I could do THAT just by mistyping. (It appears to be down now... the whole website maybe... oh well, slashdot strikes again).
So who's trying to fool who here...
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Remove the "PR_5BBD3A" bit from the URL you provided, and surprise surprise, where do you think Reuters picked up that press release...
Don't mod this up, I've metioned it like 3 times now because I want to clarify that Intentia's webmaster is the BIGGEST FINGER POINTING IDIOT EVER.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
A few months ago I guessed the URL to the then-new Star Trek Nemesis teaser from Apple's site ten minutes before their trailer page was updated to access it, ensuring I got it at high download speed before the masses linked in and slowed everything down.
Guess I'll be expecting a court summons soon...
Web servers are inherently public. Placing sensitive data on a web server means that one can reasonably expect that it will be accessed.
Stupidity is not a valid business strategy. Companies like this have no business asking a court to defend them from their own inept practices.
-- Windows is not simply installed on a computer; it is inflicted.
He's saying that it's not hacking when you aren't bypassing any form of security.
If I put a new memo up behind another piece of blank paper on a public bulletin board, and someone moves that blank page aside to look at the confidential company information on that memo, have they illegally accessed the information? No, I was just stupid.
This is not about browsing a house; this is a public webserver with absolutely no access controls, and with human readable URL's that make some kind of sense.
It's very common for people to look at urls and guess at the meaning to navigate to other parts of a site (ie: changing an obvious date to get older listings, changing resolution values to get a larger than normally provided map, etctera). These things are hardly illegal.
What should really be at issue is whether Reuters should have known the information was not to be released yet.
Am I a hacker now too? I typed URL twice already now.
Ok, this is lame, duh.
1. Everybody visit Intentia's site right now, taking note of the fact that they prevent your browser's BACK button from functioning.
2. File criminal charges against them for hacking your computer.
Favorite line:
Like they aren't doing enough of that on their own. Presumably they have research that backs up their damage claims. Yeah, right.
This guy got in trouble for a similar thing.
Worth a look.
http://www.pc-help.org/privacy/chq/
A store can easily be protected by purchasing video cameras. That doesn't make it legal to burglarize a store that just uses lock-and-key.
True. But people from Reuters didn't physically enter Intentia's offices against Intentia's will, and carry away paper documents. That's clearly illegal. What happened doesn't appear to be illegal, to me.
Reuters communicated with an automated system, called a web server. Intentia made this system publicly accessible through a system of computers collectively known as the Internet.
Using the internationally recognized communication language of that system, called HTTP, Reuters then conveyed a request to Intentia's system that Reuters wished to be sent information about Intetia's sales reports. Intentia had configured their automated system to grant that request to anyone who asked. The automated system then sent Reuters the requested information, just as Intentia's administrators had designed it to do. Intentia had the option configuring the system to refuse the request, but configured it instead to grant the request.
There is no evidence to suggest that Reuters misrepresented itself to the system, or tried to take something from the system that Intentia had not configured it to grant. In short, the sole claim of "hacking" rests upon the fact that Intentia didn't expect anyone outside the company to ask for that document. But as far as I know, asking for something isn't a crime.
It's not burglary if you ask the salesperson if they will give you something, and they choose to give it to you.
Disclaimer: I Am Not a Lawyer. I Am Not A Police Officer. I Am Not a Alien from Mars. I am Not a Flying Fish. "Mod Me Down If You Must, But..." Natalie Portman. Hot Grits. All Your Base. Karma. Insert Standard Slashdotism Here.
Score -5, Silly Disclaimer.
--
AC
I put a bunch of job adverts on the site I run and link to them with an SQL query in an asp page. Using this I can pull the links to the document using the closing date field. The documents are still there, so are we still advertising the jobs?
Mongrel News all the news that fits and froths
HOW DO THEY KNOW ABOUT THAT?!?!?!
Sometimes I get this eerie feeling that there are PEOPLE watching ME!
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
chmod 100 file.pdf and chown root file.pdf - then either chmod/chown it back manually or write a cron job to do it.
wrap the file in a php file that checks the date first (the pdf would be outside the server root and the php file would write a few headers and then spit out the file)
Don't put it on the site until it's really time to be public!I've known people who put new versions of websites in subdirectories called "beta" or something equally simple, and other people who wrap links to "secret" files in <font color="#FFFFFF"> tags. Security through obscurity is inexcusable when there are very simple techniques that will greatly improve security.
I really hate signatures, but go to my website.
I'm not someone who is really knowledgeable about setting up webservers. I have simple one I set up and am applying the concepts here, they may be invalid. When I set up my server, anything someone on my server wants published has to go in a folder called public_html. I assume something similar happens on commercial sites. There is a folder in which anything placed is fair game. Providing that is the case, and Reuters didn't do any old hacking tricks like enclosing backslashes to back up a folder to get outside of a publicly declared area, how can anyone claim they hacked someone. (sorry for the run on sentences, a problem since high school--grin)
I'm using Opera 6.05 for Win...I can hit 'back' with no problems...I just went to the main site, though.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
To follow this analogy:
It would be like catching a bunch of people skinnydipping in the local river/lake/whatever (someplace public) and yelling it out to everyone, perhaps calling it in to the radio etc.
As for legality (ignoring the non-issue legality of public nudity Vs public website) I'm not sure if it would be illegal to let this info out
- Publishing the website address: No hacking.
- Obtaining the website adddress if there wasn't a publicly visible URL: No hacking
- Obtaining the website if it came through a call-home frm google toolbar or similar tool: no hacking (has discalimer providing info on what it does)
- If somebody used a vulnerability in a site or PC to obtain information on the address in question: There is the hacking
All the rest would go somewhere else in the legal areas, perhaps damages for compromising their financial information before release time (with demerits to Intentia for stupidity in not sticking anSomething like when you know dialing "0" in an automated phone system often leads to a direct operator. The annoy-a-voice prompter may not tell you that 0 works (or at least not until later), but you can still hit it beforehand...
I have two sites that I administer that have pages that are not linked to the main site and are considered "internal" and thus not legally accessible by outside parties. To get to those pages, you would necessarily have to have been given the URL by the staff of the company. These pages are labelled as internal and there are warnings at the top of the pages against accessing the material without proper authorization.
Even so, if anyone published links to those pages, they could, and should, expect to find themselves the target of breach of privacy lawsuits.
The web is used for dessimination of information, not only for public consumption, but for internal and private purposes. That information is often proprietary and, ostensibly, secret, and making that information public could put a company's continued operation at risk.
I whole heartedly hope the courts rule against Reuters. This sort of breach is unacceptable.
*** *** You're just jealous 'cause the voices talk to me... ***
What if a company has a work-in-progress version of its q/annual report, with inaccurate numbers, basically a boilerplate with numbers to be fixed later. Then someone mistakenly publishes that on the company's site before the actual results are announced.
Say this "accident" happens a few hours before the real deal.
Now, a news agency picks up this WIP report, then goes on to report the numbers on it.
Stock swings, profits are made, eventually the real thing comes out. Pop goes the news agency's credibility.
The WIP numbers could be just a tad off the whisper figures, but still enough to cause a market move, hence the news agency doesn't doubt the numbers which cannot be confirmed or denied by the company itself.
A news agency's worth is its credibility and accuracy, especially concerning financial info. Which will be the first casualty of a faulty leak?
This has BBBBBAAAADDDDDD! implications. If Reuters is found liable, webmasters and researchers everywhere will be facing the same nightmare that file-swappers and software developers are facing with the overly-broad DMCA. What if your website links to a URL no longer publicly linked to on that URL's domain? If that URL is meant to be a secret webpage all of the sudden, you'd be liable. Many of use use scraping bots in Perl, PHP, CFML, etc. that gather info from other sites automatically, often times using old URLs or URLs hacked together by our own intuitiveness. We would then become liable for any information found using information those bots gathered on our own website or in our own news stories. We all better hope that a judge realizes that, if a webpage is available in a public web browser with no use of a password or encryption, than that webpage is public domain and may be viewed and referenced by any journalist, webmaster, student, customer, lawyer, law enforcement, researcher, etc. Linking to a URL that is public or not, but requires no sort of authorization to access, no security, should not be an illegal hack. What about search engines with old, now non-public URLs?