Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reuters Accused Of Hacking For Typing In URL

Posted by timothy on from the permission-granted-or-denied dept.

Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."

17 of 563 comments (clear)

  1. Related: what about referer logs by jukal · · Score: 5, Interesting
    What if you get the link for the yet unpublic page from the referrer logs of your own site, for example www.reuters.com -logs. Would using that information be criminal?

    Here's a related thread from yesterday.

    1. Re:Related: what about referer logs by technix4beos · · Score: 5, Interesting

      If their webserver is attached to the internet in any way, then anything it is "serving" is fair game, and should thus be protected appropriately.

      This story sounds like someone got careless, and didn't lock down the folder the data lived in.

      Sounds also like someone (their admin?) is trying to cover up the error by reporting to his (clueless?) bosses that obviously it was hacked, else how could they -ever- get that information, right? (yeah, right.)

      Perhaps the admin should check out this handy url and order his copy soon.

      http://www.amazon.com/exec/obidos/tg/detail/-/18 61 007221/qid=1035883929/sr=8-2/ref=sr_8_2/104-261132 8-8021524?v=glance&n=507846

      I know I did, and it's invaluable.

      --
      user@host$ diff /dev/urandom /dev/uspto
    2. Re:Related: what about referer logs by Kierthos · · Score: 5, Interesting

      Thing is, Reuters didn't just "look". They published. Which, using the same analogy, would be looking into your house, and reporting to any and all passers-by what was going on inside.

      Furthermore, there are "Peeping Tom" laws for residences and businesses. So, even looking in, if I leave the blinds up, can be illegal.

      Kierthos

      --
      Mr. Hu is not a ninja.
    3. Re:Related: what about referer logs by jmo_jon · · Score: 4, Interesting

      Imagine this scenario:

      An employee of a company takes their earnings report to a trainstation and leaves it there. A random person who happends to be a journalist picks it up and reads it through. He realises that this is dynamite since his paper will be the first one printing it so he decides to print it.

      Now will that journalist be guilty of espinage or will the employee at the company be the one to blame? I think none doubts it will be the employee making the mistake and I can't see the difference in puting it on their official website. Of course none knows what it is and it's hard to find just like a random paper in a train station. But the fact remains, someone at the company put the secret paper in a public forum in which someone happend to find it.

      I wonder what will happend if they win the sue. Will everyone linking to a page be forced to check constatly that the site they are linking to still has an 'official' link to the document, or risk facing charges?

    4. Re:Related: what about referer logs by Dun+Malg · · Score: 3, Interesting

      Granted, it is a very very stupid error, but getting that password list (even though it is online) I would say constitutes some level of hacking

      and I would say that getting the password list is no sort of crime. Using the passwords, however, would be.

      --
      If a job's not worth doing, it's not worth doing right.
    5. Re:Related: what about referer logs by Qrlx · · Score: 5, Interesting

      What about the Google toolbar? I'm not sure what that thing is all about, BUT...

      I was running the Google Toolbar, and I had some un-linked content on our live web server. Then my boss just happened to be searching for some of that info on Google, and bam! The "secret" pages on our web server show up! Content that was indeed on the web but did not have any outside hyperlinks pointing to it was being cached by Google.

      How did Google find it? The only thing I can think of is that the Google Toolbar noticed that I went to that unpublished URL and "phoned home." (By the way, the web server is running IIS 5.0/Windows 2000, so I doubt those Apache tricks would work, though there must be similar tricks for IIS.)

  2. Raises some interesting ideas by Stubtify · · Score: 3, Interesting
    While this seems absurd on the surface, I could see a judgement going either way, for mainly two reasons.

    First, Reuters' position would probably be that the data was on a public network which was in plain view as long as the url is typed in. I myself do this all the time, why go to www.microsoft.com, click once on support, then click on download when I know the url I want is www.microsoft.com/download. It saves time and trouble. However their "accidental" stumbling upon of this data, which is far more important than anything I'd ever likely find on accident would most likely not fall into the same category. IANAL, but at the same time I would argue that anything they don't want leaked shouldn't be put online anyway, and espically without any security.

    However, I can see Intentia International's point of view. What's to stop someone from simply hitting their webserver with every alpha-numeric combination possible. They'll eventually come across the correct one for some piece of information which had gone previously undiscovered because it was to be placed up at a time which was decided by Intentia or any other company for that matter. I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password. And, scarily enough if they showed a direct relationship between all pages not yet linked and their corresponding URL perhalps a big fat DMCA case might come about if Reuters or someone figured that "~a2eslcf" meant "third quarter" in some sorry 2 bit encryption.

  3. Re:Ridiculous! by Anonymous Coward · · Score: 5, Interesting

    Here in Denmark we have a similar (but more serious) case. A micro-payment system called Valus owned and developed by a Norwegian bank (Den Norske Bank) was "hacked" on its premiere day by typing in a simple URL with the command SHUTDOWN at the end. The link to do this was published on an online debate forum and several people tried the link (although it had a warning that you should not try it:-). The problem was missing input validation (maybe the most basic security issue). Until now five people have been taken to court - one of them being the "mastermind" who posted the link. As a reaction to this behaviour Valus has been reported to the state agency for protection of personal data (Datatilsynet) for not securing personal data.

  4. Not everyone in the world is a /.'er by MalleusEBHC · · Score: 4, Interesting

    "The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.

    While most everyone here will agree that Reuters at worst could have their actions describe as exploiting Intentia's utter stupidity, quotes like this show how little some people know about computers. This guy obviously thinks that just because they didn't provide an explicit hyperlink that the data on their server is "confidential." What I fear is that some non-technology savvy judge will actually follow this same train of thought and rule against Reuters. Is this ridiculous? Yes. Is it unfortunately all too real of a possibility? Yes as well.

    PS - I checked Netcraft and they are running Windows 2000. Is it any surprise that their security guys would believe that data freely available on their server is secure if they also think a server on Win2k is secure in the first place?

  5. What the law says: by Albanach · · Score: 5, Interesting
    There's some discussionon the law - of course mainly American law which has little to do with whether it was legal or not where the crime actually happened.

    If they were to prosecute in the UK - I note Reuters replied to the allegations from their London HQ - here's what the law says:

    Computer Misuse Act (1990)
    Unauthorised access to computer material

    1.--(1) A person is guilty of an offence if--

    (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
    (b) the access he intends to secure is unauthorised; and
    (c) he knows at the time when he causes the computer to perform the function that that is the case.

    (2) The intent a person has to have to commit an offence under this section need not be directed at--

    (a) any particular program or data;
    (b) a program or data of any particular kind; or
    (c) a program or data held in any particular computer.

    (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

    So, it's quite straightforward really - if they can prove Reuters knew they weren't supposed to be looking at that material, then if the access was from the UK, a crime was committed.

    If Reuters can argue they didn't know the material was private, there is no case to answer.

    Going back to the points some others have made about the information being publicaly accessible with no .htaccess protection, clearly this doesn't matter. If, for example, you were to make a clcik through that had to be viewed before you could see any of the content that stated the information was confidential then someone not supposed to be viewing it would be committing a crime to do so.

  6. Re:There are technical solutions by D+iz+a+n+k+Meister · · Score: 5, Interesting

    The problem with "ah well, these guys were just poking around, the publishers should have used proper security" is that it raises the bar of what security is to what we experts think it ought to be. Many people don't have the capability to employ such measures, so we're denying them legal recourse.

    1. These people are experts.
    2. From a practical viewpoint, it should not have been on that server if it wasn't to be served. Anyone with sensitive data should at least be able to employ that measure.
    3. Why should they have legal recourse against typing things in the address bar of a browser?

    --

    He painted a unicorn in outer space. I'm askin' ya, what's it breathin'?
  7. Re:Stating the obvious by passthecrackpipe · · Score: 5, Interesting
    I don't think this is about security, or .htaccess, or typing a URL, or anything technical whatsoever. This is simply a company that is being *extremely* clever when it comes to Marketing.

    Yesterday, I, as an IT professional that makes purchasing decision for a large organisation, had never heard from this company. Now I know they make Collaborative Solutions. All it cost them was a bogus courtcase with Reuters.

    This is clever marketing, nothing more, nothing less. Anyone can spot the lack of merits of this case from a mile away. Brand and name recognition of this company is soaring though. I wonder how their stock price is taking it?

    --
    People who think they know everything are a great annoyance to those of us who do.
  8. Any publicity is good publicity? by Arker · · Score: 4, Interesting

    Frankly, this is a pretty bad way to get your name out - an IT company that doesn't understand the web any better than this? I wouldn't hire them to do anything, they sound totally incompetent. But they say any publicity is good publicity...

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
  9. Similar Australian case by Anarchofascist · · Score: 3, Interesting

    There was a similar case in Australia a few years ago, so please forgive me for not going into great detail, as my memory is no longer photographic.

    It seems there was an Asutralian Government site for information about your tax status. You entered your tax file number (same as the US SSN), plus a little more information to verify your identity, and then were shown a page with some tax information of some sort.

    One man noticed that the page he was eventually directed to was http://somethingsomething.gov.au/something.asp?tfn ={his-tax-file-number} and wondered how good the security was. So of course, he types in another tax file number in the address field to test it.

    BLING! Someone else's tax information pops up! No security at all, someone had just dumped this simple database-access script on the web for all to see! He tells someone in the tax department (big mistake) about the security flaw and POW a piano falls on his head. Metaphorically speaking.

    Are there any Aussies in the audience who remember any more details about this one? It was at least 3 years ago.. can't remember the final outcome.

    --
    Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
  10. Re:Stating the obvious by macdaddy · · Score: 3, Interesting

    Better analogy: the video store put "Episode I" DVDs on the shelf early thinking that since they hadn't advertised they had them they'd be safe. A customer looking in the obvious location (next to the "later" releases) found the video and told his friend. The store got pissy and complained. That's a better analogy.

  11. Guessing the results URL was easy by anser · · Score: 5, Interesting
    You can't go by what Intentia's website shows now, I suspect they changed their scheme (also known as 'locking the barn door after the barn burns down').

    If you do a Google search for intentia results, at least one early entry points to the Intentia 'press room' containing an earlier quarterly results announcement. The announcement page itself does have a 24 bit hex ID number in the URL (BA45EE etc) that would be hard to guess for a new quarter. But on the announcement page is this link:

    ::: read the full report
    Now the URL (which no longer works, natch) of the PDF file being linked to:
    http://www.intentia.com/w2000.nsf/(files)/Intentia _02_Q2_us.pdf/$FILE/Intentia_02_Q2_us.pdf
    is extremely easy to extrapolate to subsequent quarters. I have no doubt that's what Reuters did , for this company and many others with similarly easy naming schemes and early uploading schedules. And I have no doubt that other journalists pull the same trick. In this case, a company with results they'd rather nobody noticed has jumped at the opportunity to change the subject.
  12. College grades have similar 'security' by sheetsda · · Score: 3, Interesting

    My college protects grades a similar way before they're released, last semester I started publishing a form in my web space (hosted on their server :)) that allows you to get your grades (presumably) as soon as they're scanned in, several days before their intended release. I don't know if anyone on staff noticed and/or cared; it may be that the official release time is just there to prevent complaining about "she got her grades before I could". All that was required to make the form was stripping down their grade submit page and changing one of the options in a select.