Reuters Accused Of Hacking For Typing In URL

Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."

Doesn't seem very serious of Intentia

[nordicfrost]

I always thought the golden rule was "If you don't want anyone on the 'net to to see it, don't publish it!". That's what we use on our site, if a new music video is to be published monday at noon, it is uploaded 11:59 and linked 12:00.

AFAIK: There hasn't been a case like this in Scandinavia, so it could be interesting to see the outcome. Having read quite a lot of Norwegian and Swedish judgements on the subject, I think Intentia don't have a case as long as Reuters did not break any protection to get the documents.

A decent writeup, and an interesting question...

[Thalia]

Here is a decent writeup from The Register. The accusation is that "results could only be accessed via a 40 character ID code." Now whether this is an extended address, or a password is unclear. It also notes that there are a couple of other firms that have also accused Reuters of hacking into their systems to get early access to reports.

Actually, this does raise an interesting question. If a page is put on the web that cannot be spidered, and cannot be reached from any publicly available page, can we assume that anyone who accesses that page has some sort of unauthorized information? I have never heard of hackers systematically trying IP addresses for content. And it is in fact likely that Reuters got the info from an employee... in violation of the employment agreement.

This should be a fascinating case, and not nearly as easy as the writeup makes it seem.

Thalia

Here in France

[OrangeSpyderMan]

For the record, there was a case recently here in France where a judge ruled in favour of a person who hacked the website of Tati, a retailer. In fact the only tools the hacker used were a regular browser, and the information was insufficiently protected. French speakers can read more here. Google should be able to help the others :-). While this case isn't the same, in France this has made jurisprudence that information that isn't protected at all from basic navigation tools, can't be considered to be "stolen", even if the original intent was not to publish it.

It is Lotus Domino...

[Cpt_Corelli]

Please note that they are using Lotus Domino as their web server. This means that there are no physical directories that you can chmod or "look into".

The URL contains the Domino internal document ID (similar to a GUID) and I still can not understand how Reuters "guessed" that. Sounds to me like this is an internal leak...

Re:It is Lotus Domino...

[MightyTribble]

A few things about domino, from a sometimes-Domino admin:

First, you can have *really awful* Domino URLs. this was not one of them - they took the time in their DB design to make it a nice, easy on the eyes address.

Second, and more importantly, Domino makes Access Control trivial. It would have been the work of moments to make that db private. They didn't do that.

Finally, Domino regularly indexes all public databases on a site. The search engine can also parse PDF files. This makes all public documents findable unless you take measures to prevent indexing. Given how these monkeys set up the rest of their site, I wouldn't be surprised if this PDF was findable via the websites' regular search feature.

It looks like this company has *no clue* what they were doing, and is trying to blame someone else for it.

Re:Related: what about referer logs

[NotesSauceBoss]

Domino on its own doesn't have a web server you need to use and can use Apache, IIS, or WebSphere with domino.

Wrong. A Domino server out of the box includes full HTTP services. This is part of the generic install. No additional HTTP software is needed, although you *can* configure Domino to use an alternative HTTP stack if you prefer.

Why isn't there a moderation setting for "incorrect?"

Google Take on Secret Servers

[no+soup+for+you]

It's probably too late for this to do any google, but here's google's take on Secret Websites and URL guessing (from their webmaster's FAQ)

6. Googlebot is downloading information from our "secret" web server.

It is almost impossible to keep a web server secret by not publishing any links to it. As soon as someone follows a link from your "secret" server to another web server, it is likely that your "secret" URL is in the referer tag, and it can be stored and possibly published by the other web server in its referer log. So, if there is a link to your "secret" web server or page on the web anywhere, it is likely that Googlebot and other "web crawlers" will find it.

IMHO, If you put something out there, and don't restrict anyonymous access, the information is freely accessible. Access is implicitly given - you can restrict access, not grant it.

Re:Related: what about referer logs

[tzanger]

No, Googlebot needs a link.

No, it doesn't.

Google plays tricks with servers. With apache, for instance it tries the venerable www.site.com/?M=A and ?S=D, ?N=A etc. tricks. If Apache isn't locked down, it'll happily bypass index.html and give you directory listings, and then spider any subdirectories using the same method. I had several of my unpublished directories found by google this way.

Re:Related: what about referer logs

[Dudio]

If you have Page Rank and/or the Category button enabled in the Toolbar, it definitely "phones home" to Google WRT which sites you hit. This is explained during setup (IIRC), and in the options page where you can change enable/disable these features. Check out Google's Toolbar Privacy Policy for more info. on this.