Reuters Accused Of Hacking For Typing In URL

Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."

Stating the obvious

[Bartmoss]

It could have easily been protected by .htaccess or whatever. So, they have no case. Let's hope Reuters won't budge, and the judge will have a clue.

Re:Stating the obvious

[MalleusEBHC]

A store can easily be protected by purchasing video cameras. That doesn't make it legal to burglarize a store that just uses lock-and-key.

The problem with your analogy is that they didn't even use a lock and key. Their doors were open for business and now they are getting mad that someone came in before they could put up the big neon "OPEN" sign.

Re:Stating the obvious

[SmallFurryCreature]

The analogy is I think fundamentally flawed. It is more like peeping. Did reuters go to extra ordinary lengths to peep in on data that the plaintive could reasonably have expected to remain hidden?

People walking by in the street can not be charged with peeping if they see you walking naked in youre house. Not even if they have to turn their heads to do it. Simply claiming that since you are doing it in youre own house you are supposed to have privacy is not valid. You have to draw the curtains for the expectancy of privacy to be granted.

Now the question is, did they have the curtains drawn. I personally think not. It will be intressting to see what the law has to say about it.

Re:Stating the obvious

[Sancho]

This case is actually symptomatic of a much larger problem that the US (and the rest of the world, from the looks of it) face: using the courts and your clout to cover up your mistakes. It seems like it's gotten to the point where if something happens that you don't like, you sue someone. Doesn't really matter who. Filing a suit has become a method of saying "We did nothing wrong, in fact we were wronged." even when in many cases this is simply untrue.
This company clearly messed up. A news agency got some information (and not by hacking!) and published it. The information wasn't fraudulant. If it was false, it wasn't with a disregard for the truth--after all, it was in a document on the company's website. But the company in question didn't like the fact that the information got out, so they sue the news company.

Forget terrorism and its effect on "free speech and free press" (right now a mostly US-centric concern) the real danger is big budget corporations who have the money and time to spend taking you to court because they didn't like what you had to say. It's scary, folks, and it's not getting any better.

Stupidity

[e8johan]

Quotes are from Intentia's press release concerning the investigation.

"Reuters News Agency Broke into Intentia's IT Systems"

I would not call it breaking in to surf on someones homesite.

"there was an unauthorized entry via an IP-address belonging to Reuters"

What do they mean, do I have to call them and ask for permission before accessing files publically available on their homesite?

As Reuters didn't steal anything, but simply pointed at on open window (that they found) I would have to say that their act was not illegal. What they should investigate is their internal safety policies, because they need a revision or two (IMHO).

There are technical solutions

[toriver]

In my opinion, any HTTP GET request is exactly that, a request. "May I have that resource, Server Sir?". And if the server (which is the thingy that is responsible for allowing or refuseing the request) actually sent the requested resource/document back to the client, it has answered "Yes, you may" by responding with the resource.

If the publishers of the resource wanted to limit access to the resource they could add authentication, referer checking, or a timestamp check - anything, really. Since they did not, I fail to see how they can have a case.

"Security through obscurity", like having a non-linked but available resource, is self delusion.

Re:There are technical solutions

[j7953]

So if I add a login header, is that just another GET request? It's the difference between http://root:12345@www.0wn3d.com/ and http://www.0wn3d.com/.

No. In that case, you're trying to circumvent (by having illegally obtained or by guessing the password) a security measure. (Also see below.)

It would cause the same kind of division in society as if we had a law that said burglary doesn't count unless you have an expensive security system.

No. There is a difference between trying to receive information (i.e. trying to have it delivered to me), and trying to actively enter someone else's property. The breaking-in analogy is fundamentally flawed, at least as long as we're not talking about trying to circumvent any security that is installed (e.g. trying to guess passwords -- that would be trying to actively enter).

Also note that houses (and physical locations in general) usually make it quite obvious whether they're supposed to be public or private. All private houses, even if they have no locks or security systems, have an implicit security mechanism: doors. Even if they're unlocked, closed doors tell most people not to enter unless invited by someone opening the door, or by a sign that tells them it's public. Why do you think most stores have doors that allow you to look into the store, that have obvious "open" signs, and that sometimes even open for you automatically? It's a way of telling people that the door is, unlike most other doors, not intended to keep them out.

URLs, however, are all designed the same way, there is no obvious difference between private and public resources. The only way to recognize them as private is to request them and see if a password request will show up. And experience suggests that most URLs are public.

Making it potentially illegal to try an URL will get you into the same legal problems as trying to make a difference between precise links ("deep links") and generic links (links to front pages).

Some of the questions you'd have to answer are:

• If you have requested, by following a link, the resource /some/path/document, and get a 404 Page not Found error, is it legal for you to try accessing /some/path/ by changing the URL in your browser's URL field?
• Is it legal to type some domain name into your browser, even if it is not published anywhere? (E.g. you're looking for Foo Corporation's web site and try www.foo.com.)
• If you're currently reading /2001/some-report, and you think that the year 2002 record would be more interesting, would you not try to type /2002/some-report into your browser?
• If you're reading a structured document, e.g. an online book or a howto article, and you're currently reading /3-1, and you realize you'd like to skip chapter three but the "Next" link points to /3-2, is it legal for you to type /4 into your browser?
• If you follow a link and get a 404, and the URL looks like the webmaster simply made a typo, is trying to correct the URL illegal without permission?
• If any of the above is illegal, but someone did it anyway and then published the URL on his web site, without telling how he found it, is it illegal to click? To copy and paste?

I am a webmaster myself, and I do agree that there are some requests that are sent with obviously malicious intentions (e.g. requests for cmd.exe etc.). But I am also a web user, and I don't want browsing the web to become a legal risk simply because I know how URLs work and make use of that knowledge. Some web site operators seem to believe that simply because they intended their visitors to behave in a certain way, and didn't provide any means for the users to behave differently, that anything but what they expect you to do should be illegal.

There is a difference between an author telling you that it makes sense to read chapter four of his book before reading chapter five, and an author trying to put you in jail for reading chapter five first anyway.

if Intentia prevails, it would be very bad

[g4dget]

Many people truncate URLs to avoid dealing with broken site navigation systems. Mozilla and Galeon even have an "up" button. Other pages may become unlinked but may still be linked from a log or search engine. Some files, like /robots.txt, are almost never linked to, yet everybody knows they are there. And more than once, I have mistyped a host name along with a URL and gotten a web page that looked not entirely public (logs, etc.).

In some areas of law, it's unavoidable drawing fuzzy boundaries and considering intent. However, in this case, anybody who wants to protect their information on the web easily can, using standard web access control schemes; they don't need to rely on using obscure URLs. Let's not burden the courts with this.

This is part of a more general and disturbing trend, where lazy system admins don't spend the time set up their systems correctly, or management hires incompetent and cheap staff, and then try to use the court system and police (i.e., taxpayer money) to make up for their own shortcomings.

Mantra

[RAMMS+EIN]

Repeat after me:
If you don't want people to read something, don't put it on the Internet.

url's are like phone numbers

[phr2]

Deep linking has the same issue. URL's are like phone numbers.

The company homepage, www.corp.com, is like the main switchboard number, say 555-1000.

URL's reachable through the home page (www.corp.com/foo/bar) are like internal extensions you can find through the voice menu system (555-1357).

The link with the earnings report is like an extension (555-2468) not on the voice menu, that came off somebody's business card or answering machine or some unknown channel.

That's it. Reuters is being sued over something very much like calling an unlisted direct phone number inside some company. How they got the phone number is, well, irrelevant. They're a news organization, they have reporters, whose job is digging up info like phone numbers.

Deep linking works the same way for anyone else too, of course. Like duh, if you don't want something to be reachable without going through the switchboard, don't give it a direct number exposed to the outside world.

Look! A snake!

[adolf]

Funny stuff, this.

I'm going outside, right now, with copies of some of my own financial statements.

I'm going to throw them onto the Main Street sidewalk, and stand just near enough to the pile that I can serve hastily-drawn lawsuit papers to anyone who dares to look.

The documents are undeniably my property, after all. Nobody has the right to see them unless I erect a big fucking sign pointing them out, even if they are scattered about a public walkway.

[Moral for the sarcasm-impaired: If you don't want your information to be public knowledge, now or ever, don't let it be publicly available. At all.]

The Web is not a magazine!!

[Mnemia]

All these companies seem to think that the Web is like a magazine: their neat little layout is all anyone should be allowed to use. But they forget that the Web was intentially designed to facilitate deep linking and URL-typing for the purpose of transparent information exchange. They don't get to decide the layout and presentation of the data once they publish it so that it is accessible through an URL.

There is nothing about implicit permission to view here. I assert that they are EXPLICITLY granting permission to any and all to view the document when they publish it via a non-password protected URL.

That is the very foundation of the Web...without it we have interactive television.

Re:Raises some interesting ideas

[pubjames]

I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password....

Dumbass:But your honor, that man has stolen a hundred dollars from me! I think I made a reasonable attempt to hide it by keeping it in an old shoe in a hedge at the local park. Who would think to look there? ...what do you mean I'm a dumbass?

Re:Related: what about referer logs

[gazbo]

No, Googlebot needs a link. If it is inaccessible through hyperlinks, Googlebot won't even know it existed. Of course, if it followed Reuters link then it would have found the report, but then that's the whole point of the legal action, isn't it?

The best quote from Intentia's website

[bobdotorg]

"The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.

Yeah - no shit Sven, IT blunders with sensitive information tend to do that.

But hey, just to make sure that everyone's confidence in your company is shattered, why don't you do the American thing and file a 'It can't possibly be my fault' lawsuit.

Re: Related: what about referer logs

[Black+Parrot]

> While I'd normally agree, if its protected by some kind of protection (htaccess) - even if its really weak, accessing in would be cracking, same as if a door in a house is open, you still cant nick the TV.

No, the correct analogy is "if you stand naked in your doorway you can't complain about everyone seeing your naughties".

Re:It is Lotus Domino...

[AlecC]

I went to their site, and I looked for the (now visible) results. The URL looked like this:

http://www.intentia.com/w2000.nsf/(files)/Intent ia _02_Q3_us.pdf/$FILE/Intentia_02_Q3_us.pdf

The previous quarters reports are also available under ...02_Q2_us.pdf and so on. This URL is a lot more than 40 characters, but it hardly takes a rocket scintist to guess where Q3 is going to be when you know where Q1 and Q2 are. You really cannot call such guesswork "hacking".

Re:Related: what about referer logs

[Xentax]

I'm not an expert on Search Engine Backends (IANA...ahh screw that).

But, wouldn't most search engines also at least try to grab index.html on directories in which they've found other files?

Of course, I doubt that's what happened here. From what I can tell on the "victim" website, Reuters just guessed what the URL for the report would be. Who hasn't done that before, in some way or another (e.g. guessing what a broken URL was supposed to be)?

There's clearly NO access control here, except a shining example of how security through obscurity is NOT security at all.

Xentax

Re:Related: what about referer logs

[schon]

Thing is, Reuters didn't just "look". They published. Which, using the same analogy, would be looking into your house, and reporting to any and all passers-by what was going on inside.

Except that my house isn't a public place.

The report was put in a PUBLIC location. Therefore it's up to them to restrict access. Simply "not telling anyone" isn't restricting access.

Re:Related: what about referer logs

[Klaruz]

No, this is like walking into a company's public library and finding a book on a shelf in the corner that wasn't in the card catalog.

Whine and moan all they want, they still stuck it in a public place. They should have stuck it behind a locked closed door. Then it's secure. If you bust open the door, that would be a crime. Finding something sitting in a public place that's not advertised is not a crime.