Slashdot Mirror
Reuters Accused Of Hacking For Typing In URL
Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."
It could have easily been protected by .htaccess or whatever. So, they have no case. Let's hope Reuters won't budge, and the judge will have a clue.
Quotes are from Intentia's press release concerning the investigation.
"Reuters News Agency Broke into Intentia's IT Systems"
I would not call it breaking in to surf on someones homesite.
"there was an unauthorized entry via an IP-address belonging to Reuters"
What do they mean, do I have to call them and ask for permission before accessing files publically available on their homesite?
As Reuters didn't steal anything, but simply pointed at on open window (that they found) I would have to say that their act was not illegal. What they should investigate is their internal safety policies, because they need a revision or two (IMHO).
It's not about the existence (or not) of the link, but the source of the URL. While I don't agree with it, I think what they are saying is that if a site doesn't publish a URL (usually through a link, but could be in print, etc) it is not public information and accessing it is unauthorised access. This is the same attitude (if not specific issue) that has a problem with deep-linking too.
Free Java games for your phone: Tontie, Sokoban
If the publishers of the resource wanted to limit access to the resource they could add authentication, referer checking, or a timestamp check - anything, really. Since they did not, I fail to see how they can have a case.
"Security through obscurity", like having a non-linked but available resource, is self delusion.
In some areas of law, it's unavoidable drawing fuzzy boundaries and considering intent. However, in this case, anybody who wants to protect their information on the web easily can, using standard web access control schemes; they don't need to rely on using obscure URLs. Let's not burden the courts with this.
This is part of a more general and disturbing trend, where lazy system admins don't spend the time set up their systems correctly, or management hires incompetent and cheap staff, and then try to use the court system and police (i.e., taxpayer money) to make up for their own shortcomings.
Repeat after me:
If you don't want people to read something, don't put it on the Internet.
Please correct me if I got my facts wrong.
The company homepage, www.corp.com, is like the main switchboard number, say 555-1000.
URL's reachable through the home page (www.corp.com/foo/bar) are like internal extensions you can find through the voice menu system (555-1357).
The link with the earnings report is like an extension (555-2468) not on the voice menu, that came off somebody's business card or answering machine or some unknown channel.
That's it. Reuters is being sued over something very much like calling an unlisted direct phone number inside some company. How they got the phone number is, well, irrelevant. They're a news organization, they have reporters, whose job is digging up info like phone numbers.
Deep linking works the same way for anyone else too, of course. Like duh, if you don't want something to be reachable without going through the switchboard, don't give it a direct number exposed to the outside world.
Funny stuff, this.
I'm going outside, right now, with copies of some of my own financial statements.
I'm going to throw them onto the Main Street sidewalk, and stand just near enough to the pile that I can serve hastily-drawn lawsuit papers to anyone who dares to look.
The documents are undeniably my property, after all. Nobody has the right to see them unless I erect a big fucking sign pointing them out, even if they are scattered about a public walkway.
[Moral for the sarcasm-impaired: If you don't want your information to be public knowledge, now or ever, don't let it be publicly available. At all.]
Kid-proof tablet..
What Reuters did exposed the company to a situation before they were ready.
Which is precisely what you'd expect them to do, Reuters being a press agency and all.
I court I hope Reuters don't get busted for accessing the information, but for publishing details about it.
Damn straight. If it weren't for those goddamned financial journalists, I bet Enron would still be trading today. The freedom of the press has got no business interfering with our right to earn a dishonest dollar.
After all I'm sure that the company in question had a copyright notice on all their pages, right?
So what? Do you really believe Reuters breached their copyright in the report?
Get a jar of glue, man.
Which roughly translates to: 'we want to use the internet securely'.
They then put some confidential information on their public website, and sue the first people to read it
All these companies seem to think that the Web is like a magazine: their neat little layout is all anyone should be allowed to use. But they forget that the Web was intentially designed to facilitate deep linking and URL-typing for the purpose of transparent information exchange. They don't get to decide the layout and presentation of the data once they publish it so that it is accessible through an URL.
There is nothing about implicit permission to view here. I assert that they are EXPLICITLY granting permission to any and all to view the document when they publish it via a non-password protected URL.
That is the very foundation of the Web...without it we have interactive television.
If their webserver is attached to the internet in any way, then anything it is "serving" is fair game, and should thus be protected appropriately.
While I'd normally agree, if its protected by some kind of protection (htaccess) - even if its really weak, accessing in would be cracking, same as if a door in a house is open, you still cant nick the TV.
Of course in this case google would have spidered the report before long and they cant prosecute an automatic robot can they?
I completely disagree.
From what I gather from the posts on here, it seems that these guys have a webserver with little to no security on it. If you use a basic webcrawling program, it likely jumps from link to link, which is what we expect AOL users to do online. However, a good web crawler will also check the directory by default as well, to see if there is an index (I've seen some of this in MY referrer logs).
Given that this was sensitive data, it should have been protected. Claiming that it was by not publishing the URL is like sticking it in a window of a building with thousands of windows. Eventually someone may see it.
Your analogy of the credit card numbers would be valid IF they had swiped a password to get to that point. But the server didn't ask for authorisation by any means. It was happy with a basic URL. There's nothing ultra-special about the URL to suggest that it's attempting to be hidden either. I doubt the location was intended to change, but to just be linked to.
Basically, Reuters has provided good reporting using the skills available to anyone with a decent wewbcrawler who has a set list of websites to follow. And if they didn't get it that way but got it through an anonymous tip, that's classic reporting.
The power of accurate observation is commonly called cynicism by those who have not got it. - G.B. Shaw
I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password....
...what do you mean I'm a dumbass?
Dumbass:But your honor, that man has stolen a hundred dollars from me! I think I made a reasonable attempt to hide it by keeping it in an old shoe in a hedge at the local park. Who would think to look there?
No, Googlebot needs a link. If it is inaccessible through hyperlinks, Googlebot won't even know it existed. Of course, if it followed Reuters link then it would have found the report, but then that's the whole point of the legal action, isn't it?
"The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.
Yeah - no shit Sven, IT blunders with sensitive information tend to do that.
But hey, just to make sure that everyone's confidence in your company is shattered, why don't you do the American thing and file a 'It can't possibly be my fault' lawsuit.
__ Someday, but not this morning, I'll finally learn to use the preview button.
If you kept it in a hedge in your garden (i.e., on your property as this report was), and someone took it, they would still technically be guilty of theft.
Except (to streach the anology to its limits), a public web server is like putting a sign on your garden gate saying "Open to the public".
> While I'd normally agree, if its protected by some kind of protection (htaccess) - even if its really weak, accessing in would be cracking, same as if a door in a house is open, you still cant nick the TV.
No, the correct analogy is "if you stand naked in your doorway you can't complain about everyone seeing your naughties".
Sheesh, evil *and* a jerk. -- Jade
I went to their site, and I looked for the (now visible) results. The URL looked like this:
t ia _02_Q3_us.pdf/$FILE/Intentia_02_Q3_us.pdf
...02_Q2_us.pdf and so on. This URL is a lot more than 40 characters, but it hardly takes a rocket scintist to guess where Q3 is going to be when you know where Q1 and Q2 are. You really cannot call such guesswork "hacking".
http://www.intentia.com/w2000.nsf/(files)/Inten
The previous quarters reports are also available under
Consciousness is an illusion caused by an excess of self consciousness.
I'm not an expert on Search Engine Backends (IANA...ahh screw that).
But, wouldn't most search engines also at least try to grab index.html on directories in which they've found other files?
Of course, I doubt that's what happened here. From what I can tell on the "victim" website, Reuters just guessed what the URL for the report would be. Who hasn't done that before, in some way or another (e.g. guessing what a broken URL was supposed to be)?
There's clearly NO access control here, except a shining example of how security through obscurity is NOT security at all.
Xentax
You shouldn't verb words.
Thing is, Reuters didn't just "look". They published. Which, using the same analogy, would be looking into your house, and reporting to any and all passers-by what was going on inside.
Except that my house isn't a public place.
The report was put in a PUBLIC location. Therefore it's up to them to restrict access. Simply "not telling anyone" isn't restricting access.
No, this is like walking into a company's public library and finding a book on a shelf in the corner that wasn't in the card catalog.
Whine and moan all they want, they still stuck it in a public place. They should have stuck it behind a locked closed door. Then it's secure. If you bust open the door, that would be a crime. Finding something sitting in a public place that's not advertised is not a crime.