Slashdot Mirror
Reuters Accused Of Hacking For Typing In URL
Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."
It could have easily been protected by .htaccess or whatever. So, they have no case. Let's hope Reuters won't budge, and the judge will have a clue.
Quotes are from Intentia's press release concerning the investigation.
"Reuters News Agency Broke into Intentia's IT Systems"
I would not call it breaking in to surf on someones homesite.
"there was an unauthorized entry via an IP-address belonging to Reuters"
What do they mean, do I have to call them and ask for permission before accessing files publically available on their homesite?
As Reuters didn't steal anything, but simply pointed at on open window (that they found) I would have to say that their act was not illegal. What they should investigate is their internal safety policies, because they need a revision or two (IMHO).
It's not about the existence (or not) of the link, but the source of the URL. While I don't agree with it, I think what they are saying is that if a site doesn't publish a URL (usually through a link, but could be in print, etc) it is not public information and accessing it is unauthorised access. This is the same attitude (if not specific issue) that has a problem with deep-linking too.
Free Java games for your phone: Tontie, Sokoban
anybody who strays from the 'garden path' of links provided shouldn't be deemed a criminal.
However, it depends upon what you do with this so-called unpublished material.
What Reuters did exposed the company to a situation before they were ready. Seems to me like the company should have taken more adequate security such as using htaccess passwords, etc.
I court I hope Reuters don't get busted for accessing the information, but for publishing details about it. After all I'm sure that the company in question had a copyright notice on all their pages, right?
If the publishers of the resource wanted to limit access to the resource they could add authentication, referer checking, or a timestamp check - anything, really. Since they did not, I fail to see how they can have a case.
"Security through obscurity", like having a non-linked but available resource, is self delusion.
In some areas of law, it's unavoidable drawing fuzzy boundaries and considering intent. However, in this case, anybody who wants to protect their information on the web easily can, using standard web access control schemes; they don't need to rely on using obscure URLs. Let's not burden the courts with this.
This is part of a more general and disturbing trend, where lazy system admins don't spend the time set up their systems correctly, or management hires incompetent and cheap staff, and then try to use the court system and police (i.e., taxpayer money) to make up for their own shortcomings.
Repeat after me:
If you don't want people to read something, don't put it on the Internet.
Please correct me if I got my facts wrong.
It's not hard to crawl a website, such as search engines do all the time. Yet I bet they're not going to sue google which undoubtedly had a cache of the site before it went public (robots allowed, of course).
3 A
And if your server is set to list directories, then it's already "serving" away all of it's pretty little files without much prodding (funny, how a server...serves...files).
http://www.intentia.com/w2000.nsf/pages/PR_5BBD
" The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters. The entry took place at 12:51 pm on October 24th 2002, prior to the publication of the interim report for the third quarter of 2002. At approximately 12:57 pm, Reuters published the first news flash giving information on Intentia's third quarter result, without prior confirmation from the Company..."The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.
"We question the methods used by Reuters, and our judgement is that we cannot rule out the possibility of illegal actions. As a consequence we will file criminal charges regarding the incident," says Björn Algkvist.
"We will disclose to the Stockholm Stock Exchange all technical details on how the intrusion was made, which will allow them to share this information with other listed companies, so that actions preventing similar events in the future can be made," concludes Björn Algkvist. "
Tip for the Swedes over there at Intentia International:
"chmod --help" -or-
"mv --help"
If an unauthorized page isn't met with a 404 or 403, you did somehting wrong.
Most folk'll never lose a toe, and then again some folk'll...
The company homepage, www.corp.com, is like the main switchboard number, say 555-1000.
URL's reachable through the home page (www.corp.com/foo/bar) are like internal extensions you can find through the voice menu system (555-1357).
The link with the earnings report is like an extension (555-2468) not on the voice menu, that came off somebody's business card or answering machine or some unknown channel.
That's it. Reuters is being sued over something very much like calling an unlisted direct phone number inside some company. How they got the phone number is, well, irrelevant. They're a news organization, they have reporters, whose job is digging up info like phone numbers.
Deep linking works the same way for anyone else too, of course. Like duh, if you don't want something to be reachable without going through the switchboard, don't give it a direct number exposed to the outside world.
It depends on how you define hacking... if they had no inside information about the URL, then yeah, guessing the URL would be a type of hacking but, I don't believe, one that could be punishable by law. For example, if I put an object I own in a public place... say, some place where the object is hidden but could be found if somebody was looking for it. Then a couple days later it's gone... is that theft? Sure, but, again, I don't think it can be punished. One of those "you should have known better," examples.
sig.
A very intelligent point. They didn't hack anything, they asked for the document, and the server gave it. They have absolutely no case.
using namespace slashdot;
troll::post();
Funny stuff, this.
I'm going outside, right now, with copies of some of my own financial statements.
I'm going to throw them onto the Main Street sidewalk, and stand just near enough to the pile that I can serve hastily-drawn lawsuit papers to anyone who dares to look.
The documents are undeniably my property, after all. Nobody has the right to see them unless I erect a big fucking sign pointing them out, even if they are scattered about a public walkway.
[Moral for the sarcasm-impaired: If you don't want your information to be public knowledge, now or ever, don't let it be publicly available. At all.]
Kid-proof tablet..
In the news-business it's allways about speed. Beeing the first one bringing the news. Getting authorised the rights to publish something thats allready on the web would seem like a waste of time in any case in this business.
If I found a page on the net, which seemed relevant to my news-page, I'd link it and not check if it's ok. It's allready on the web, right?
And anyone clueless enough to put sensitive documents accessable to the public should suffer the consequences. Maybe he'll learn.
Not Buzzword 2.0 compliant. Please speak english.
In other news, dialing unlisted phone numbers without the express written consent of the number's owner is now a criminal offense.
Krikey. I just don't know where they find people this stupid. Same goes for this deep linking crap. Maybe people should have to pass some sort of test before they get to use the Internet. Otherwise the have to use AOL until they at least understand that anything you post to the web could be publically accessible.
From: "ferrocene" ,
To:
Subject: Re: Lawsuit @ http://www.intentia.com/w2000.nsf/pages/PR_5BBD3A
If an unauthorized page isn't met with a 404 or 403, you did somehting wrong. You have an incompetent webmaster. The proper way to remove a book from the library isn't to remove the card catalog, it's to remove the book.
-erik-
Most folk'll never lose a toe, and then again some folk'll...
Which roughly translates to: 'we want to use the internet securely'.
They then put some confidential information on their public website, and sue the first people to read it
All these companies seem to think that the Web is like a magazine: their neat little layout is all anyone should be allowed to use. But they forget that the Web was intentially designed to facilitate deep linking and URL-typing for the purpose of transparent information exchange. They don't get to decide the layout and presentation of the data once they publish it so that it is accessible through an URL.
There is nothing about implicit permission to view here. I assert that they are EXPLICITLY granting permission to any and all to view the document when they publish it via a non-password protected URL.
That is the very foundation of the Web...without it we have interactive television.
If their webserver is attached to the internet in any way, then anything it is "serving" is fair game, and should thus be protected appropriately.
While I'd normally agree, if its protected by some kind of protection (htaccess) - even if its really weak, accessing in would be cracking, same as if a door in a house is open, you still cant nick the TV.
Of course in this case google would have spidered the report before long and they cant prosecute an automatic robot can they?
The correct analogy to use here is not "it was an open window" or "a door that wasn't locked".
The correct analogy is the free information handout kiosk. Somebody put somthing at the Kiosk sooner then they meant to, but behind a different handout.
I completely disagree.
From what I gather from the posts on here, it seems that these guys have a webserver with little to no security on it. If you use a basic webcrawling program, it likely jumps from link to link, which is what we expect AOL users to do online. However, a good web crawler will also check the directory by default as well, to see if there is an index (I've seen some of this in MY referrer logs).
Given that this was sensitive data, it should have been protected. Claiming that it was by not publishing the URL is like sticking it in a window of a building with thousands of windows. Eventually someone may see it.
Your analogy of the credit card numbers would be valid IF they had swiped a password to get to that point. But the server didn't ask for authorisation by any means. It was happy with a basic URL. There's nothing ultra-special about the URL to suggest that it's attempting to be hidden either. I doubt the location was intended to change, but to just be linked to.
Basically, Reuters has provided good reporting using the skills available to anyone with a decent wewbcrawler who has a set list of websites to follow. And if they didn't get it that way but got it through an anonymous tip, that's classic reporting.
The power of accurate observation is commonly called cynicism by those who have not got it. - G.B. Shaw
I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password....
...what do you mean I'm a dumbass?
Dumbass:But your honor, that man has stolen a hundred dollars from me! I think I made a reasonable attempt to hide it by keeping it in an old shoe in a hedge at the local park. Who would think to look there?
Exactly. This is equivalent to leaving a document pinned under a table on a street cafe (or under another note on a notice board). You're not advertising it's location, but if you find it, there is nothing stopping anyone from reading it.
A public web server is a publically accessable location, if you give out your "private" documents without access control, no matter how obscure your filing system, then you have no expectation of privacy.
How about another example:
I place an unmaned, unguarded, unlocked filing cabinet in times square. This filing cabinet contains information that I encourage members of the public to access. My bank account pin is stored in this filing cabinent under (SKGAKYG@&^KJH). Do I have any right to expect my bank pin to remain private? Does it matter if the filing cabinet is in a publically accessable area of my company? I would say no and no.
That Denmark case sounds very interesting, you have a link to details online about it?
No, Googlebot needs a link. If it is inaccessible through hyperlinks, Googlebot won't even know it existed. Of course, if it followed Reuters link then it would have found the report, but then that's the whole point of the legal action, isn't it?
Isn't it possible that Reuters had a bookmarked link to this URL? I know they say that it was unpublished, but maybe they had done redirection in the past, and Reuters bookmarked the redirected URL?
While it may not be illegal to actually view and read this information, its potentially creating a conflict of interest for investors. If this was an earnings report published before its intended publication date, people will trade off that information. This could create a situation similar to insider trading.
And regardless of this, if it is proved that Reuters did this intentionally, they are totally at fault. They know this information affects the markets, and that the information gives their clients a (potentially unfair) competitive advantage.
If Intentia had an obvious Earnings Report or financial press release procedure, Reuters should know they will potentially be held responsible for releasing false information.
What if this wasn't the final Earnings Report? Than Reuters would potentially affect the trading of Intentia stock based on false information...
OK, so in fact you're saying hacking is legal where not all the security precautions have been taken. And I'm allowed into your house to browse around if you forget to lock your windows. Get a grip.
Score:-1, Funny
That's why breaking into someone's house is "breaking & entry." Even if you don't have to break in, entering is still criminal.
Except a public webserver is nowhere near a private property. The page was put on a webserver in order to be published.
"The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.
Yeah - no shit Sven, IT blunders with sensitive information tend to do that.
But hey, just to make sure that everyone's confidence in your company is shattered, why don't you do the American thing and file a 'It can't possibly be my fault' lawsuit.
__ Someday, but not this morning, I'll finally learn to use the preview button.
And I'm allowed into your house to browse around if you forget to lock your windows. Get a grip.
No, but I'm allowed to see in your house if you leave the curtains/blinds open.
He painted a unicorn in outer space. I'm askin' ya, what's it breathin'?
If you kept it in a hedge in your garden (i.e., on your property as this report was), and someone took it, they would still technically be guilty of theft.
Except (to streach the anology to its limits), a public web server is like putting a sign on your garden gate saying "Open to the public".
The closest 'real-world' situation that I can imagine is someone sat in a public place reading a document with "Top Secret" written on it. Would this document be considered "public property" as the person was reading it in a place where anyone could easily read it over there shoulder?
I agree. I would add that Intentia International should have the burden of proving that there wasnt a link anywhere on the internet to the report. This is just silly.. If you put things on a public webserver, its public.
This is clearly ridiculous.
They published it by putting it into a directory from which the web server could serve up documents. End of story.
The arguments about "but that means burglarly is allowed if you have no security" are completely specious. This has nothing to do with security. Through deliberate action, or even accidentally, they made the document publically available. It's as simple as that.
> While I'd normally agree, if its protected by some kind of protection (htaccess) - even if its really weak, accessing in would be cracking, same as if a door in a house is open, you still cant nick the TV.
No, the correct analogy is "if you stand naked in your doorway you can't complain about everyone seeing your naughties".
Sheesh, evil *and* a jerk. -- Jade
you had to know, or guess, what address to type in order to retrieve it.
Does not listing a library book in the card catalog mean the book is classified, private information? What if someone released movie to the theaters, but didn't advertise or put the show times in the newspaper?
This is just a silly company wanting laws to cover their idiotic mistakes. It's easy enough to store your unreleased earnings report somewhere besides your live webserver.
$8.95/mo web hosting
I went to their site, and I looked for the (now visible) results. The URL looked like this:
t ia _02_Q3_us.pdf/$FILE/Intentia_02_Q3_us.pdf
...02_Q2_us.pdf and so on. This URL is a lot more than 40 characters, but it hardly takes a rocket scintist to guess where Q3 is going to be when you know where Q1 and Q2 are. You really cannot call such guesswork "hacking".
http://www.intentia.com/w2000.nsf/(files)/Inten
The previous quarters reports are also available under
Consciousness is an illusion caused by an excess of self consciousness.
I'm not an expert on Search Engine Backends (IANA...ahh screw that).
But, wouldn't most search engines also at least try to grab index.html on directories in which they've found other files?
Of course, I doubt that's what happened here. From what I can tell on the "victim" website, Reuters just guessed what the URL for the report would be. Who hasn't done that before, in some way or another (e.g. guessing what a broken URL was supposed to be)?
There's clearly NO access control here, except a shining example of how security through obscurity is NOT security at all.
Xentax
You shouldn't verb words.
> Reuters knew that it wasn't Intentia's intent to release that information (yet) but still persisted in obtaining and releasing it to the general public.
Unproven assumption. Reuters knew the URL it would be posted at, and kept looking at that URL until it appeared. Pecause it appeared on a public web server, they assumed it was published. Wrong, but how were they to know that?
Consciousness is an illusion caused by an excess of self consciousness.
I used to work at a company which used (at that time) a particular dynamic-content-management system (the name escapes me just now). At one point, one of the emails we received from a site visitor informed us that one of the big search engines had somehow (though no link existed to it ANYWHERE) managed to spider the admin page for that system... which was completely unprotected and included such information as our license key for this very expensive software.
To this day, I have no idea how that URL ended up on the search engine, but it just goes to show - if you want something protected, put a PASSWORD on it. Sheesh.
Or should we have sued the search engine for finding that link? Or the user who kindly reported it to us? Sorry, Europe. It looks like 'our' enjoyment of frivolous technology-lawsuits is starting to rub off...
... "I read part of it all the way through." -- Movie Mogul Sam Goldwyn (and some slashdot readers)
When I type in an URL like www.comics.com I am essentially
"guessing" that this URL exists and contains what I want. If
it doesnt I move on. Essentially any URL I type in is similiar
to this. Now, www.comics.com cannot put their most confidential
stuff at this page and then sue me for not following links.
(links from where?)
There is no rule that accessing pages that are available to my
web-browser are violation of privacy because the web server is
present exactly for that reason: sharing what you dont want to be private.
The bottom line in this case is very simple. Its _my_ freedom of action
to type in _any_ goddamn URL I want, in _my_ browser.
If some moron in their company doesnt know the difference between
their web-share drive and the company private drive, they need to fire him/her.
The company site quotes: "The incident has severely damaged confidence in us as individuals and in Intentia as a company" and I am amused by this. YES thats perfectly true.
Any company that handles up such a vital information in such a careless manner
DOES NOT deserve much confidence or credibility and they are just proving
themselves that they are morons. But instead of accepting their shortcomings
they are raving like an infant.
I think the key to their charge is the allegation: "The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters."
Which pretty much sums it up. Is it illegal to type in any url I want in my browser and
view the contents ? I just hope that the verdict is a slap in their face
and doesnt set any idiotic precedents.
DO NOT PANIC
By defintion putting a file in a "world readable" directory and setting the permissions to allow world access kinda implies that you don't care who reads this. Otherwise - why in the world would you allow this kind of access? If you place it in a world readable directory, you have no businness complaing the world can read it.
If religous zealots don't believe in Evolution, then why are they so worried about bird flu?
Because it's more interesting to see an argument refuted than simply discarded. The people who simply reply with 'wrong' really annoy me: From interaction and conversation come knowledge and learning. A binary rejection system discourages interaction.
Thing is, Reuters didn't just "look". They published. Which, using the same analogy, would be looking into your house, and reporting to any and all passers-by what was going on inside.
Except that my house isn't a public place.
The report was put in a PUBLIC location. Therefore it's up to them to restrict access. Simply "not telling anyone" isn't restricting access.
Think hard about AC's question... they are both URIs that are typed in, and both produce undesirable (for the server owners) results.
True, AC's might exploit a flaw with the server itself while the one in the posted story simply access unlinked content, but how would one explain that to a non-technical user like a typical judge/jury?
Either way, this could turn into a bad, bad precident.
Wrong. You've had several of your published but unpublicized directories found. Once its on the webserver and capable of being served to the public, its published.
Hence the term "publish to the webserver".
A better analogy is whether it is illegal for someone to call me if I have an unpublished number.
Whether someone finds me in a phone book, gets my number directly from me, gets my number from a friend, or guesses my number, the actual phone call is the same.
These anlogies about open doors are misleading, because it is intuitive to think that one should not simply walk into a stranger's house, even if the door is open.
However, if the open door were to a store in a mall, you would probably not think anything was wrong with just walking right in or even telling others about what you saw inside (or where the store is located). Just because the store wasn't listed in the mall directory doesn't make it illegal.
So what Reuters did was smarmy, if guilty as charged. And the Swedish company didn't file a lawsuit against Reuters themselves, as the writeup claims. They reported the event and a criminal action is now pending, which means it isn't just between the two companies now. It's a government thing. What Sweden can do against a non-Swedish company depends on other, currently unknown (to us) factors.
In short, it's a morals thing. There's lots of things we can do, but we don't because it's wrong, even if technically possible. That's the real missing piece in the analysis: thinking that it's OK to do anything, if you know how and can.
No, this is like walking into a company's public library and finding a book on a shelf in the corner that wasn't in the card catalog.
Whine and moan all they want, they still stuck it in a public place. They should have stuck it behind a locked closed door. Then it's secure. If you bust open the door, that would be a crime. Finding something sitting in a public place that's not advertised is not a crime.
No, Intentia published the information when they put it up on their web site. Reuters just reported what Intentia made publically available to anyone who thought to look.
Anyone who has a web site probably has unlinked pages hanging around, or directories excluded from indexing with robots.txt. The difference is that most of us are smart enough to realize that those pages aren't private or secure, just out of the way and unlikely to be seen. Intentia apparently has trouble grasping this concept.
...don't play on the interstate.
If you don't want people to see your internal company data, don't put it on the Internet.
Got it boys and girls? Yes? OK, now we can have milk, graham crackers, and naptime.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
www.my.com/report2000.pdf
www.my.com/report2001.pdf
and the world is waiting for 2002 report, would it really be a surprise when millions try to download www.my.com/report2002.pdf one day before the actual release? Come on, _everybody_ would do that. Perhaps one should sue Intentia for violating some stock exchange rules by not protecting the data.
A store can easily be protected by purchasing video cameras. That doesn't make it legal to burglarize a store that just uses lock-and-key.
True. But people from Reuters didn't physically enter Intentia's offices against Intentia's will, and carry away paper documents. That's clearly illegal. What happened doesn't appear to be illegal, to me.
Reuters communicated with an automated system, called a web server. Intentia made this system publicly accessible through a system of computers collectively known as the Internet.
Using the internationally recognized communication language of that system, called HTTP, Reuters then conveyed a request to Intentia's system that Reuters wished to be sent information about Intetia's sales reports. Intentia had configured their automated system to grant that request to anyone who asked. The automated system then sent Reuters the requested information, just as Intentia's administrators had designed it to do. Intentia had the option configuring the system to refuse the request, but configured it instead to grant the request.
There is no evidence to suggest that Reuters misrepresented itself to the system, or tried to take something from the system that Intentia had not configured it to grant. In short, the sole claim of "hacking" rests upon the fact that Intentia didn't expect anyone outside the company to ask for that document. But as far as I know, asking for something isn't a crime.
It's not burglary if you ask the salesperson if they will give you something, and they choose to give it to you.
Disclaimer: I Am Not a Lawyer. I Am Not A Police Officer. I Am Not a Alien from Mars. I am Not a Flying Fish. "Mod Me Down If You Must, But..." Natalie Portman. Hot Grits. All Your Base. Karma. Insert Standard Slashdotism Here.
Score -5, Silly Disclaimer.
--
AC