Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reuters Accused Of Hacking For Typing In URL

Posted by timothy on from the permission-granted-or-denied dept.

Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."

7 of 563 comments (clear)

  1. A decent writeup, and an interesting question... by Thalia · · Score: 5, Informative
    Here is a decent writeup from The Register. The accusation is that "results could only be accessed via a 40 character ID code." Now whether this is an extended address, or a password is unclear. It also notes that there are a couple of other firms that have also accused Reuters of hacking into their systems to get early access to reports.

    Actually, this does raise an interesting question. If a page is put on the web that cannot be spidered, and cannot be reached from any publicly available page, can we assume that anyone who accesses that page has some sort of unauthorized information? I have never heard of hackers systematically trying IP addresses for content. And it is in fact likely that Reuters got the info from an employee... in violation of the employment agreement.

    This should be a fascinating case, and not nearly as easy as the writeup makes it seem.

    Thalia

  2. It is Lotus Domino... by Cpt_Corelli · · Score: 5, Informative



    Please note that they are using Lotus Domino as their web server. This means that there are no physical directories that you can chmod or "look into".

    The URL contains the Domino internal document ID (similar to a GUID) and I still can not understand how Reuters "guessed" that. Sounds to me like this is an internal leak...

    1. Re:It is Lotus Domino... by MightyTribble · · Score: 5, Informative

      A few things about domino, from a sometimes-Domino admin:

      First, you can have *really awful* Domino URLs. this was not one of them - they took the time in their DB design to make it a nice, easy on the eyes address.

      Second, and more importantly, Domino makes Access Control trivial. It would have been the work of moments to make that db private. They didn't do that.

      Finally, Domino regularly indexes all public databases on a site. The search engine can also parse PDF files. This makes all public documents findable unless you take measures to prevent indexing. Given how these monkeys set up the rest of their site, I wouldn't be surprised if this PDF was findable via the websites' regular search feature.

      It looks like this company has *no clue* what they were doing, and is trying to blame someone else for it.

  3. Re:Related: what about referer logs by NotesSauceBoss · · Score: 5, Informative
    Domino on its own doesn't have a web server you need to use and can use Apache, IIS, or WebSphere with domino.

    Wrong. A Domino server out of the box includes full HTTP services. This is part of the generic install. No additional HTTP software is needed, although you *can* configure Domino to use an alternative HTTP stack if you prefer.

    Why isn't there a moderation setting for "incorrect?"

  4. Google Take on Secret Servers by no+soup+for+you · · Score: 5, Informative

    It's probably too late for this to do any google, but here's google's take on Secret Websites and URL guessing (from their webmaster's FAQ)

    6. Googlebot is downloading information from our "secret" web server.

    It is almost impossible to keep a web server secret by not publishing any links to it. As soon as someone follows a link from your "secret" server to another web server, it is likely that your "secret" URL is in the referer tag, and it can be stored and possibly published by the other web server in its referer log. So, if there is a link to your "secret" web server or page on the web anywhere, it is likely that Googlebot and other "web crawlers" will find it.

    IMHO, If you put something out there, and don't restrict anyonymous access, the information is freely accessible. Access is implicitly given - you can restrict access, not grant it.
    --
    If you blog it...
  5. Re:Related: what about referer logs by tzanger · · Score: 5, Informative

    No, Googlebot needs a link.

    No, it doesn't.

    Google plays tricks with servers. With apache, for instance it tries the venerable www.site.com/?M=A and ?S=D, ?N=A etc. tricks. If Apache isn't locked down, it'll happily bypass index.html and give you directory listings, and then spider any subdirectories using the same method. I had several of my unpublished directories found by google this way.

  6. Re:Related: what about referer logs by Dudio · · Score: 5, Informative

    If you have Page Rank and/or the Category button enabled in the Toolbar, it definitely "phones home" to Google WRT which sites you hit. This is explained during setup (IIRC), and in the options page where you can change enable/disable these features. Check out Google's Toolbar Privacy Policy for more info. on this.