Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reuters Accused Of Hacking For Typing In URL

Posted by timothy on from the permission-granted-or-denied dept.

Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."

9 of 563 comments (clear)

  1. Related: what about referer logs by jukal · · Score: 5, Interesting
    What if you get the link for the yet unpublic page from the referrer logs of your own site, for example www.reuters.com -logs. Would using that information be criminal?

    Here's a related thread from yesterday.

    1. Re:Related: what about referer logs by technix4beos · · Score: 5, Interesting

      If their webserver is attached to the internet in any way, then anything it is "serving" is fair game, and should thus be protected appropriately.

      This story sounds like someone got careless, and didn't lock down the folder the data lived in.

      Sounds also like someone (their admin?) is trying to cover up the error by reporting to his (clueless?) bosses that obviously it was hacked, else how could they -ever- get that information, right? (yeah, right.)

      Perhaps the admin should check out this handy url and order his copy soon.

      http://www.amazon.com/exec/obidos/tg/detail/-/18 61 007221/qid=1035883929/sr=8-2/ref=sr_8_2/104-261132 8-8021524?v=glance&n=507846

      I know I did, and it's invaluable.

      --
      user@host$ diff /dev/urandom /dev/uspto
    2. Re:Related: what about referer logs by Kierthos · · Score: 5, Interesting

      Thing is, Reuters didn't just "look". They published. Which, using the same analogy, would be looking into your house, and reporting to any and all passers-by what was going on inside.

      Furthermore, there are "Peeping Tom" laws for residences and businesses. So, even looking in, if I leave the blinds up, can be illegal.

      Kierthos

      --
      Mr. Hu is not a ninja.
    3. Re:Related: what about referer logs by Qrlx · · Score: 5, Interesting

      What about the Google toolbar? I'm not sure what that thing is all about, BUT...

      I was running the Google Toolbar, and I had some un-linked content on our live web server. Then my boss just happened to be searching for some of that info on Google, and bam! The "secret" pages on our web server show up! Content that was indeed on the web but did not have any outside hyperlinks pointing to it was being cached by Google.

      How did Google find it? The only thing I can think of is that the Google Toolbar noticed that I went to that unpublished URL and "phoned home." (By the way, the web server is running IIS 5.0/Windows 2000, so I doubt those Apache tricks would work, though there must be similar tricks for IIS.)

  2. Re:Ridiculous! by Anonymous Coward · · Score: 5, Interesting

    Here in Denmark we have a similar (but more serious) case. A micro-payment system called Valus owned and developed by a Norwegian bank (Den Norske Bank) was "hacked" on its premiere day by typing in a simple URL with the command SHUTDOWN at the end. The link to do this was published on an online debate forum and several people tried the link (although it had a warning that you should not try it:-). The problem was missing input validation (maybe the most basic security issue). Until now five people have been taken to court - one of them being the "mastermind" who posted the link. As a reaction to this behaviour Valus has been reported to the state agency for protection of personal data (Datatilsynet) for not securing personal data.

  3. What the law says: by Albanach · · Score: 5, Interesting
    There's some discussionon the law - of course mainly American law which has little to do with whether it was legal or not where the crime actually happened.

    If they were to prosecute in the UK - I note Reuters replied to the allegations from their London HQ - here's what the law says:

    Computer Misuse Act (1990)
    Unauthorised access to computer material

    1.--(1) A person is guilty of an offence if--

    (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
    (b) the access he intends to secure is unauthorised; and
    (c) he knows at the time when he causes the computer to perform the function that that is the case.

    (2) The intent a person has to have to commit an offence under this section need not be directed at--

    (a) any particular program or data;
    (b) a program or data of any particular kind; or
    (c) a program or data held in any particular computer.

    (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

    So, it's quite straightforward really - if they can prove Reuters knew they weren't supposed to be looking at that material, then if the access was from the UK, a crime was committed.

    If Reuters can argue they didn't know the material was private, there is no case to answer.

    Going back to the points some others have made about the information being publicaly accessible with no .htaccess protection, clearly this doesn't matter. If, for example, you were to make a clcik through that had to be viewed before you could see any of the content that stated the information was confidential then someone not supposed to be viewing it would be committing a crime to do so.

  4. Re:There are technical solutions by D+iz+a+n+k+Meister · · Score: 5, Interesting

    The problem with "ah well, these guys were just poking around, the publishers should have used proper security" is that it raises the bar of what security is to what we experts think it ought to be. Many people don't have the capability to employ such measures, so we're denying them legal recourse.

    1. These people are experts.
    2. From a practical viewpoint, it should not have been on that server if it wasn't to be served. Anyone with sensitive data should at least be able to employ that measure.
    3. Why should they have legal recourse against typing things in the address bar of a browser?

    --

    He painted a unicorn in outer space. I'm askin' ya, what's it breathin'?
  5. Re:Stating the obvious by passthecrackpipe · · Score: 5, Interesting
    I don't think this is about security, or .htaccess, or typing a URL, or anything technical whatsoever. This is simply a company that is being *extremely* clever when it comes to Marketing.

    Yesterday, I, as an IT professional that makes purchasing decision for a large organisation, had never heard from this company. Now I know they make Collaborative Solutions. All it cost them was a bogus courtcase with Reuters.

    This is clever marketing, nothing more, nothing less. Anyone can spot the lack of merits of this case from a mile away. Brand and name recognition of this company is soaring though. I wonder how their stock price is taking it?

    --
    People who think they know everything are a great annoyance to those of us who do.
  6. Guessing the results URL was easy by anser · · Score: 5, Interesting
    You can't go by what Intentia's website shows now, I suspect they changed their scheme (also known as 'locking the barn door after the barn burns down').

    If you do a Google search for intentia results, at least one early entry points to the Intentia 'press room' containing an earlier quarterly results announcement. The announcement page itself does have a 24 bit hex ID number in the URL (BA45EE etc) that would be hard to guess for a new quarter. But on the announcement page is this link:

    ::: read the full report
    Now the URL (which no longer works, natch) of the PDF file being linked to:
    http://www.intentia.com/w2000.nsf/(files)/Intentia _02_Q2_us.pdf/$FILE/Intentia_02_Q2_us.pdf
    is extremely easy to extrapolate to subsequent quarters. I have no doubt that's what Reuters did , for this company and many others with similarly easy naming schemes and early uploading schedules. And I have no doubt that other journalists pull the same trick. In this case, a company with results they'd rather nobody noticed has jumped at the opportunity to change the subject.