Slashdot Mirror
Reuters Accused Of Hacking For Typing In URL
Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."
Here's a related thread from yesterday.
It could have easily been protected by .htaccess or whatever. So, they have no case. Let's hope Reuters won't budge, and the judge will have a clue.
I think that by definition : online measn available, and not linked. If it has to be sanctionned because it was online, then yes, they must be guilty.
Are we going to get "internet traffic tickets" now, instead of a 404 error?
Oh wow! Deep-linking outlawed, URL-typing outlawed! How long until hyperlinking itself is outlawed? Oh wait, I should ask BT that, since they own the patent on hyperlinking...
Besides, isn't 'regulating access to private information on a public website' what httaccess was for?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Quotes are from Intentia's press release concerning the investigation.
"Reuters News Agency Broke into Intentia's IT Systems"
I would not call it breaking in to surf on someones homesite.
"there was an unauthorized entry via an IP-address belonging to Reuters"
What do they mean, do I have to call them and ask for permission before accessing files publically available on their homesite?
As Reuters didn't steal anything, but simply pointed at on open window (that they found) I would have to say that their act was not illegal. What they should investigate is their internal safety policies, because they need a revision or two (IMHO).
It's not about the existence (or not) of the link, but the source of the URL. While I don't agree with it, I think what they are saying is that if a site doesn't publish a URL (usually through a link, but could be in print, etc) it is not public information and accessing it is unauthorised access. This is the same attitude (if not specific issue) that has a problem with deep-linking too.
Free Java games for your phone: Tontie, Sokoban
anybody who strays from the 'garden path' of links provided shouldn't be deemed a criminal.
However, it depends upon what you do with this so-called unpublished material.
What Reuters did exposed the company to a situation before they were ready. Seems to me like the company should have taken more adequate security such as using htaccess passwords, etc.
I court I hope Reuters don't get busted for accessing the information, but for publishing details about it. After all I'm sure that the company in question had a copyright notice on all their pages, right?
Well I do it all the time when browsing pr0n. Suppose you have an url like this one : http://www.hotteenchick.com/free/tgp/melanie08/mel anie08.html,
it doens't take long to figure out where the other pics are.
If the publishers of the resource wanted to limit access to the resource they could add authentication, referer checking, or a timestamp check - anything, really. Since they did not, I fail to see how they can have a case.
"Security through obscurity", like having a non-linked but available resource, is self delusion.
In some areas of law, it's unavoidable drawing fuzzy boundaries and considering intent. However, in this case, anybody who wants to protect their information on the web easily can, using standard web access control schemes; they don't need to rely on using obscure URLs. Let's not burden the courts with this.
This is part of a more general and disturbing trend, where lazy system admins don't spend the time set up their systems correctly, or management hires incompetent and cheap staff, and then try to use the court system and police (i.e., taxpayer money) to make up for their own shortcomings.
"The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB."
Um, yeah. If you cant tell the difference between 'storing confidential data in an access controlled place on your internal network' and 'storing confidential data on an open-for-all external site' it sure will damage my confidence in Intentia as a company. Incompetent is a fairly fitting description.
The one person that put the document on a public webserver is the one who's to blame. No matter how they toss and turn it it was accessible without any access restrictions from the web. Nothing was hacked and no password guessed.
I relly hope that the court handling this case will understand how a webserver functions. In that case its all clear whos to blame.
HTTP/1.1 400
Repeat after me:
If you don't want people to read something, don't put it on the Internet.
Please correct me if I got my facts wrong.
Let's think about this for a minute... if I remember the URL that was used to access a particular resource, and just type it in again at a later date (or even just recall a stored bookmark), am I hacking the site, just because the link I used originally may not exist any more?
Hell, if I just type a domain name into the browser, am I considered to be hacking the site (because it may not be indexed by the search engines yet, etc.)?
The internet is a 'public' network... (in terms of ability to access resources, not necessarily in the ownership of the material found there)...
It is easy enough to 'secure' data (at least in a trivial sense), and the responsibility has to be on the 'publisher' to make a reasonable attempt to protect data that they do not wish to be generally available... not linking to a resource does not constitute a reasonable attempt.
First, Reuters' position would probably be that the data was on a public network which was in plain view as long as the url is typed in. I myself do this all the time, why go to www.microsoft.com, click once on support, then click on download when I know the url I want is www.microsoft.com/download. It saves time and trouble. However their "accidental" stumbling upon of this data, which is far more important than anything I'd ever likely find on accident would most likely not fall into the same category. IANAL, but at the same time I would argue that anything they don't want leaked shouldn't be put online anyway, and espically without any security.
However, I can see Intentia International's point of view. What's to stop someone from simply hitting their webserver with every alpha-numeric combination possible. They'll eventually come across the correct one for some piece of information which had gone previously undiscovered because it was to be placed up at a time which was decided by Intentia or any other company for that matter. I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password. And, scarily enough if they showed a direct relationship between all pages not yet linked and their corresponding URL perhalps a big fat DMCA case might come about if Reuters or someone figured that "~a2eslcf" meant "third quarter" in some sorry 2 bit encryption.
It's not hard to crawl a website, such as search engines do all the time. Yet I bet they're not going to sue google which undoubtedly had a cache of the site before it went public (robots allowed, of course).
3 A
And if your server is set to list directories, then it's already "serving" away all of it's pretty little files without much prodding (funny, how a server...serves...files).
http://www.intentia.com/w2000.nsf/pages/PR_5BBD
" The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters. The entry took place at 12:51 pm on October 24th 2002, prior to the publication of the interim report for the third quarter of 2002. At approximately 12:57 pm, Reuters published the first news flash giving information on Intentia's third quarter result, without prior confirmation from the Company..."The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.
"We question the methods used by Reuters, and our judgement is that we cannot rule out the possibility of illegal actions. As a consequence we will file criminal charges regarding the incident," says Björn Algkvist.
"We will disclose to the Stockholm Stock Exchange all technical details on how the intrusion was made, which will allow them to share this information with other listed companies, so that actions preventing similar events in the future can be made," concludes Björn Algkvist. "
Tip for the Swedes over there at Intentia International:
"chmod --help" -or-
"mv --help"
If an unauthorized page isn't met with a 404 or 403, you did somehting wrong.
Most folk'll never lose a toe, and then again some folk'll...
The company homepage, www.corp.com, is like the main switchboard number, say 555-1000.
URL's reachable through the home page (www.corp.com/foo/bar) are like internal extensions you can find through the voice menu system (555-1357).
The link with the earnings report is like an extension (555-2468) not on the voice menu, that came off somebody's business card or answering machine or some unknown channel.
That's it. Reuters is being sued over something very much like calling an unlisted direct phone number inside some company. How they got the phone number is, well, irrelevant. They're a news organization, they have reporters, whose job is digging up info like phone numbers.
Deep linking works the same way for anyone else too, of course. Like duh, if you don't want something to be reachable without going through the switchboard, don't give it a direct number exposed to the outside world.
It depends on how you define hacking... if they had no inside information about the URL, then yeah, guessing the URL would be a type of hacking but, I don't believe, one that could be punishable by law. For example, if I put an object I own in a public place... say, some place where the object is hidden but could be found if somebody was looking for it. Then a couple days later it's gone... is that theft? Sure, but, again, I don't think it can be punished. One of those "you should have known better," examples.
sig.
If you transmit something via RF, anyone can listen to it. It doesn't matter the content. If you don't take precautions to restrict access to information, then you might as well be giving it away. It doesn't matter that the Police don't want me listening to their transmissions, they don't encrypt them, or protect them, so they are mine for the taking; weather or not the freq is listed (although it almost always is listed here in the US). URLs like frequencies are just way of addressing specific data. (from the human point of view...)
Stockholm, Sweden -Intentia International (publ.) announces the results of its internal investigation launched due to circumstances around the fact that Reuters published Intentia's fourth quarter results for 2002 prior to the scheduled publication on October 24th. "The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.
The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters using an exploit in the web server. The entry took place at 11:51 pm on October 24th 2002, prior to the publication of the interim report for the fourth quarter of 2002. At approximately 12:57 pm, Reuters published the first news flash giving information on Intentia's third quarter result, without prior confirmation from the Company. Intentia issued its earnings report ahead of schedule at 1:22 pm that same day. "The incident has severely damaged confidence in us as individuals and in Intentia as a company, and has cost millions of dollars worth of damages" says Björn Flänsost, CEO of Intentia International AB.
"We question the methods used by Reuters, and our judgement is that we have been the target of illegal actions. As a consequence we will file criminal charges regarding the incident, and will seek the maximum penalties for all those involved" says Björn Flänsost.
On Thursday, Intentia contacted the Stockholm Stock Exchange regarding an internal investigation of the incident. "We will disclose to the Stockholm Stock Exchange all technical details on how the intrusion was made, which will allow them to share this information with other listed companies, so that actions preventing similar events in the future can be made," concludes Björn Flänsost.
"The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.
While most everyone here will agree that Reuters at worst could have their actions describe as exploiting Intentia's utter stupidity, quotes like this show how little some people know about computers. This guy obviously thinks that just because they didn't provide an explicit hyperlink that the data on their server is "confidential." What I fear is that some non-technology savvy judge will actually follow this same train of thought and rule against Reuters. Is this ridiculous? Yes. Is it unfortunately all too real of a possibility? Yes as well.
PS - I checked Netcraft and they are running Windows 2000. Is it any surprise that their security guys would believe that data freely available on their server is secure if they also think a server on Win2k is secure in the first place?
Unless it was stated somewhere that the information was internal or unpublished (I didn't see that said anywhere) and if it was available on a public server (it apparently was), I don't see how even a court of law could find fault with Reuter's actions (and I'm not much into giving credit to the judicial system at this point).
In the court of clue (heh, I made that up!) they should be charged with three counts of public stupidity. One, for putting the information on a publicly reachable server in the first place if it was that important that no one see it yet. Two, for not protecting said information beyond just not linking to it from anywhere. Three, for suing. I'm just getting damn tired of companies suing people and each other because they don't understand their own technology at this point.
Now, how they got the URL might be another story if there was an employee who leaked it or something, but I wouldn't be surprised if the explanation was simply all their earnings reports were available as files in the same directory as earnings-200x.html.
Game... blouses.
AFAIK: There hasn't been a case like this in Scandinavia, so it could be interesting to see the outcome. Having read quite a lot of Norwegian and Swedish judgements on the subject, I think Intentia don't have a case as long as Reuters did not break any protection to get the documents.
Funny stuff, this.
I'm going outside, right now, with copies of some of my own financial statements.
I'm going to throw them onto the Main Street sidewalk, and stand just near enough to the pile that I can serve hastily-drawn lawsuit papers to anyone who dares to look.
The documents are undeniably my property, after all. Nobody has the right to see them unless I erect a big fucking sign pointing them out, even if they are scattered about a public walkway.
[Moral for the sarcasm-impaired: If you don't want your information to be public knowledge, now or ever, don't let it be publicly available. At all.]
Kid-proof tablet..
Actually, this does raise an interesting question. If a page is put on the web that cannot be spidered, and cannot be reached from any publicly available page, can we assume that anyone who accesses that page has some sort of unauthorized information? I have never heard of hackers systematically trying IP addresses for content. And it is in fact likely that Reuters got the info from an employee... in violation of the employment agreement.
This should be a fascinating case, and not nearly as easy as the writeup makes it seem.
Thalia
In the news-business it's allways about speed. Beeing the first one bringing the news. Getting authorised the rights to publish something thats allready on the web would seem like a waste of time in any case in this business.
If I found a page on the net, which seemed relevant to my news-page, I'd link it and not check if it's ok. It's allready on the web, right?
And anyone clueless enough to put sensitive documents accessable to the public should suffer the consequences. Maybe he'll learn.
Not Buzzword 2.0 compliant. Please speak english.
In other news, dialing unlisted phone numbers without the express written consent of the number's owner is now a criminal offense.
Krikey. I just don't know where they find people this stupid. Same goes for this deep linking crap. Maybe people should have to pass some sort of test before they get to use the Internet. Otherwise the have to use AOL until they at least understand that anything you post to the web could be publically accessible.
From: "ferrocene" ,
To:
Subject: Re: Lawsuit @ http://www.intentia.com/w2000.nsf/pages/PR_5BBD3A
If an unauthorized page isn't met with a 404 or 403, you did somehting wrong. You have an incompetent webmaster. The proper way to remove a book from the library isn't to remove the card catalog, it's to remove the book.
-erik-
Most folk'll never lose a toe, and then again some folk'll...
For the record, there was a case recently here in France where a judge ruled in favour of a person who hacked the website of Tati, a retailer. In fact the only tools the hacker used were a regular browser, and the information was insufficiently protected. French speakers can read more here. Google should be able to help the others :-). While this case isn't the same, in France this has made jurisprudence that information that isn't protected at all from basic navigation tools, can't be considered to be "stolen", even if the original intent was not to publish it.
Try NetBSD... safe,straightforward,useful.
A few years back someone found they could get other people's details from the Australian Tax Office's site by manipulating the URL (that's the impression I got anyway). An ultra-quick googling turned this up. What happened to this guy? I can't remember. All I can remember is that he sounded really embarrassed when he was being interviewed and was referred to as a "hacker".
---
Yeah, well, that's just, like, your opinion, man.
If they were to prosecute in the UK - I note Reuters replied to the allegations from their London HQ - here's what the law says:
So, it's quite straightforward really - if they can prove Reuters knew they weren't supposed to be looking at that material, then if the access was from the UK, a crime was committed.If Reuters can argue they didn't know the material was private, there is no case to answer.
Going back to the points some others have made about the information being publicaly accessible with no .htaccess protection, clearly this doesn't matter. If, for example, you were to make a clcik through that had to be viewed before you could see any of the content that stated the information was confidential then someone not supposed to be viewing it would be committing a crime to do so.
IMHO this PR stunt is an attempt to take the eye off their not so good results. According to the report Intentia's revenues declined by 14% during the period Jan-Sep 2002 and their operating margin is very close to ZERO.
IANAL, but I think they're stepping on thin ice because report was already uploaded to public accessible server and thus it should be considered published. Even if there was no hyperlink pointing to it Intentia didn't take any protective measure to restrict the access to the report. Reuters didn't have to circumvent any security measures so they can be hardly accused of hacking. And since the report was on public server they can't be accused of unathorized access. Another possible scenario is that Reuters've got the information about the document location from an insider, but the report was already accessible by public so i can't see any wrongdoing.
Which roughly translates to: 'we want to use the internet securely'.
They then put some confidential information on their public website, and sue the first people to read it
There's no doubt that the company that let their financials get out were completely moronic about their security. That, however, does not change whether or not it was wrong to hunt for this information. It's no different from the 'she was wearing something revealing so i have the right to rape/sexually harass her' fallacy.
It comes down to what the intent was and what the resulting action was. First, the Reuters reporter was probably looking for the data that wasn't released yet. He had intent to get something he wasn't supposed to have and get a story out of it. It's no different from someone with binoculars eying a payphone at an airport to steal calling card numbers from people who don't cover their keypads when dialing and then publishing the number/selling it/or using it to call some people.
The second half of the equation is what they do with it. Reuters had a scoop to gain by publishing this information early. If the reporter used this information to short the stock before it was released, that'd be illegal too. Think if we were dealing with something other than a press release. What if it was child pornography? Someone surfs to a random URL and finds child pornography. He could argue that he ran into it by accident, closed the browser and forgot about it. He's probably not going to be in too much trouble. But if he posts the link up on slashdot claiming the story's about linux, emails it to 1000 people, prints the pictures and mails copies to the police, then he's definately guilty. Here reuters found it and published it to get a story out of it. They acted on it and gave away something that wasn't theirs.
Please note that they are using Lotus Domino as their web server. This means that there are no physical directories that you can chmod or "look into".
The URL contains the Domino internal document ID (similar to a GUID) and I still can not understand how Reuters "guessed" that. Sounds to me like this is an internal leak...
Hello! We have been informed by our lawyers that we need to attach some sort of warning to this financial statemtent. So here you are: If you are under 18, are not an employee of Intentia, or are working for a major international news organization, please don't read it. Thanks!
One of the defendants in the Petswarehouse case was accused of "hacking" into the petswarehouse site. He did this by altering one digit of a URL.
After he placed an order, it sent him to a page that was a simple URL that contained an order number. That page displayed ALL of his info, including credit-card number. He decided to see what would happen if he changed a single digit in the order number. Imagine his suprise when he saw some other customer's order complete with CC number!
Petswarehouse actually tried to get the FBI to charge him with computer crimes for this amazing display of L88T HAX0R skillz. (sorry, I suck at hacker speak!)
For info about the case, see:
http://petsforum.com/psw/Docket.htm
Our vision is to become the leading global collaboration solutions vendor by supplying our customers with tomorrow's solutions today.
Well as I see it Reuters only kept in line with their philosophy. So why are they pissed?
All these companies seem to think that the Web is like a magazine: their neat little layout is all anyone should be allowed to use. But they forget that the Web was intentially designed to facilitate deep linking and URL-typing for the purpose of transparent information exchange. They don't get to decide the layout and presentation of the data once they publish it so that it is accessible through an URL.
There is nothing about implicit permission to view here. I assert that they are EXPLICITLY granting permission to any and all to view the document when they publish it via a non-password protected URL.
That is the very foundation of the Web...without it we have interactive television.
The correct analogy to use here is not "it was an open window" or "a door that wasn't locked".
The correct analogy is the free information handout kiosk. Somebody put somthing at the Kiosk sooner then they meant to, but behind a different handout.
I completely disagree.
From what I gather from the posts on here, it seems that these guys have a webserver with little to no security on it. If you use a basic webcrawling program, it likely jumps from link to link, which is what we expect AOL users to do online. However, a good web crawler will also check the directory by default as well, to see if there is an index (I've seen some of this in MY referrer logs).
Given that this was sensitive data, it should have been protected. Claiming that it was by not publishing the URL is like sticking it in a window of a building with thousands of windows. Eventually someone may see it.
Your analogy of the credit card numbers would be valid IF they had swiped a password to get to that point. But the server didn't ask for authorisation by any means. It was happy with a basic URL. There's nothing ultra-special about the URL to suggest that it's attempting to be hidden either. I doubt the location was intended to change, but to just be linked to.
Basically, Reuters has provided good reporting using the skills available to anyone with a decent wewbcrawler who has a set list of websites to follow. And if they didn't get it that way but got it through an anonymous tip, that's classic reporting.
The power of accurate observation is commonly called cynicism by those who have not got it. - G.B. Shaw
I'm not sure how much security went up since this article was published, but I've noticed that since this was broken on Slashdot, a bunch of security has started to be implemented.
At any rate, the URL that was used to reach the file wasn't that cryptic, it followed a pattern that HAD been used before. It's only logical to try to reach that, especially if you know it's coming time for them to publish again.
The power of accurate observation is commonly called cynicism by those who have not got it. - G.B. Shaw
Exactly. This is equivalent to leaving a document pinned under a table on a street cafe (or under another note on a notice board). You're not advertising it's location, but if you find it, there is nothing stopping anyone from reading it.
A public web server is a publically accessable location, if you give out your "private" documents without access control, no matter how obscure your filing system, then you have no expectation of privacy.
How about another example:
I place an unmaned, unguarded, unlocked filing cabinet in times square. This filing cabinet contains information that I encourage members of the public to access. My bank account pin is stored in this filing cabinent under (SKGAKYG@&^KJH). Do I have any right to expect my bank pin to remain private? Does it matter if the filing cabinet is in a publically accessable area of my company? I would say no and no.
If you throw 'financial results embargo' at everyones favourite search engine you'll find a bunch of press releases that have been made available in advance of the nominal release time - my understanding is that this is often done so that information is available at the same time to everyone regardless of the news service they subscribe to. It feels somewhat odd if the companies involved haven't in fact been been doing this, but there may be some quirk of Scandinavian legal practice involved.
A bit odd, too, to find Reuters doing something that raises questions about their operating methods - most of the time they're keen to promote themselves as dependable partners of the companies they report on. They're undoubtedly feeling the effects of the current market storms themselves: perhaps a few corners were being cut in the effort to be first with the news.
Isn't it possible that Reuters had a bookmarked link to this URL? I know they say that it was unpublished, but maybe they had done redirection in the past, and Reuters bookmarked the redirected URL?
While it may not be illegal to actually view and read this information, its potentially creating a conflict of interest for investors. If this was an earnings report published before its intended publication date, people will trade off that information. This could create a situation similar to insider trading.
And regardless of this, if it is proved that Reuters did this intentionally, they are totally at fault. They know this information affects the markets, and that the information gives their clients a (potentially unfair) competitive advantage.
If Intentia had an obvious Earnings Report or financial press release procedure, Reuters should know they will potentially be held responsible for releasing false information.
What if this wasn't the final Earnings Report? Than Reuters would potentially affect the trading of Intentia stock based on false information...
That's still an address. It's just an address with a locked door and a guy behind it asking if you are a club member and know the password... otherwise known as a PRIVATE club.
A fool throws a stone into a well and a thousand sages can not remove it.
Very appropriate sig on the topic by the way. And an addenum to the sig: "show a man slashdot and he is lost forever".
"The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.
Yeah - no shit Sven, IT blunders with sensitive information tend to do that.
But hey, just to make sure that everyone's confidence in your company is shattered, why don't you do the American thing and file a 'It can't possibly be my fault' lawsuit.
__ Someday, but not this morning, I'll finally learn to use the preview button.
Under whose jurisdiction will this be decided? America's or Sweden's? Intentia filed charges with a Swedish criminal investigation bureau, but I doubt the "offense" by Reuters representatives took place under their jurisdiction, even it if did involve access to their servers.
There will be many precedents set in coming years regarding remote access potentially as though it were local, and it will be interesting how those chips stack up.
...a script kiddie managed to hack into Hotmail's servers using a widely distributed hacking tool known as "Internet Explorer". The hacker typed the "URL" into the "Address Bar" and gained access to the site.
From here, the hacker sent emails to a number of associates which read: "| 4m teh 1337 |-|aX0R!!!!!1 j00 4LL ArE Cr4P!!!"
"Frankly, we're shocked," said one Hotmail employee. "Who would have thought that URL's would give access to sites on the interweb?" he continued before returning to his task of spamming Hotmail's users.
The FBI are investigating the hacker, rumoured to be in junior high, as well as the distributor of the hacking software, a small company known as MicroSoft, already known for flouting the law. Updates as they come to hand.
The closest 'real-world' situation that I can imagine is someone sat in a public place reading a document with "Top Secret" written on it. Would this document be considered "public property" as the person was reading it in a place where anyone could easily read it over there shoulder?
I would have though that the bigger story here would be that Intentia has released price sensitive information before they should have done by making available from non-secure download their Q3 results. There are lots of regulations that mean companies get in to a lot of trouble for leaking their results ahead of time. I think Reuters did us all a favour for highlighting this security risk.
Martin Piper
Owner - ReplicaNet and RNLobby
Here's another deep link to Intentia
__ Someday, but not this morning, I'll finally learn to use the preview button.
A couple of years ago, we had submitted a bid for a (substantial) research contract. The results of the bid were held in the website, but were easily reached by typing the correct URL. Indeed, we found out about it just by using their search engine, which did index the offending pages. We were aware of the bid not being succesful (sigh!) about a week before the official announcement. It was a bit embarassing when at the official announcement most of the institutions who had not been succesful had all had a good excuse for not turning up :-)
The 'softies were already antsy since when they called us all in for 'an important meeting', I had replied "Oh, is Bill finally buying us?" and this episode basically put them over the hill.
I quit on that day. Not because of this incident, but because I didn't want to work for Sauron.
[1] That was one of the more imaginative company names suggested for the buy-out of Commodore, back in the day. THPC and Barney the Dinosaur. :-)
Money for nothing, pix for free
This is clearly ridiculous.
They published it by putting it into a directory from which the web server could serve up documents. End of story.
The arguments about "but that means burglarly is allowed if you have no security" are completely specious. This has nothing to do with security. Through deliberate action, or even accidentally, they made the document publically available. It's as simple as that.
.. i'm a hacker?
where would the line between hacking/not-hacking go?
like, some things like this appear on google too, would that make using google search hacking..
geez.. what if i put up www.poikspoiks.com and didn't advertise it, and didn't properly set up the access before premier.. accuse somebody for hackin?? yea rite.
world was created 5 seconds before this post as it is.
http://www.intentia.com/w2000.nsf/files/kjafd_0210 _us.pdf/$FILE/kjafd_0210_us.pdf
Now will someone who reads the relevant language tell me what, if anything 'kjafd' means? Links to other reports were all in a very similar vein, although the 'kjafd' part changes in a nonobvious pattern.
"Evil company X is threatening to restrict our rights! Let's all get together to stop--OOOH! SHINEY!!!" -- AC
Sheesh. Where'd they put the file? in public_html?
Wansu, th' chinese sailor
you had to know, or guess, what address to type in order to retrieve it.
Does not listing a library book in the card catalog mean the book is classified, private information? What if someone released movie to the theaters, but didn't advertise or put the show times in the newspaper?
This is just a silly company wanting laws to cover their idiotic mistakes. It's easy enough to store your unreleased earnings report somewhere besides your live webserver.
$8.95/mo web hosting
Frankly, this is a pretty bad way to get your name out - an IT company that doesn't understand the web any better than this? I wouldn't hire them to do anything, they sound totally incompetent. But they say any publicity is good publicity...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Anything put onto a web server, that can be accessed from the internet without any security (password, etc), should be considered "in the public". The report was available, even though there weren't links to it.
It'd be like having a store, with a big display covered by a tarp, and no employees around. If someone came into the store and peeked under the tarp, is it Breaking & Entering? I don't think so...
Ed Wedig
Graphic design services
docbrown.net
But did Reuters even know that there was no link to the page? The probably realised that the results were due to be published that day, and on past practice would be put at a standard URL called ..../results.html.
.../results2000.html, .../results2001.html. So, just to save himself time, he types in the .../results2002.html URL. Instead of going in through the corporate page, he just keeps trying this until the 404 goes away, whereupon he can write his story.
The "proper" way to access it would be to wait until the there was a link from the corporate front page. But that means, probably, that he has to keep going to the front page, re-reading the standard corporate boilerplate saying what a great company they are, until he finds the freshly created link to the published results. And, because of the job he does, he is doing this for perhaps twenty companies due to publish their results today - and he is bored with re-reading each of their paeans of self-praise.
Being a clever fellow, he can see that the old results are under
So not only did he not intentionally bypass any security or hiding features, he didn't actually know he had done so.
The lawyers can always make simple things complex, but I cannot see how it can be wrong to publish something put in a place made for public information when you had no way of knowing that information was not intended to be public.
Consciousness is an illusion caused by an excess of self consciousness.
Nordea has acknowledged that parts of the report were mistakenly put on its Web site.
Two options: either (a)Nordea is using "content management" software that pushed this earnings report to production, based on its workflow tools, without any of the contextual links, or (b)the Web team decided to rely on a blind url in the place of real security because some clueless executive was in a big rush.
Ahlerup wouldn't comment on whether the company had made market-sensitive information available before it was released.
And we can't tell which.
I get requests all the time for demos to be put in "blind" directories on an existing server instance. Usually it's a rush presentation or something, a sales pitch that needs its own demo site in a hurry. There's no way in the world I'd do it with sensitive data on the splinter site, though. Not a chance. It'd be extremely negligent.
On the other hand, if the problem was with their "content management" environment, then someone's screwed up designing the publishing "workflows." The earnings report should have been contingent on the rest of the release, not a separate distribution. Some of that software is pretty bad about publishing date windows and contingent relationships, though, so I can see it happening.
"We want the authorities to test what can be considered to be private or public," Ahlerup said.
Floating a legal trial balloon is fine, okay. But it's time to revamp your web support team, not sue a news agency.
"Fundamentalism" isn't about divine morality. It's about human authority.
Publishing an earnings report before the company announces it is still rude, even if it's not technically illegal. I hope this case is thrown out, so as not to set a precedent, but I think it was a lousy thing of Reuters to do. It's one thing to guess URL's and obtain advance information for your own personal use; it's quite another to publish it to the rest of the world.
-John
A danish company (http://www.valus.dk) presented last spring an eletronic wallet that could be used for paying small amounts on the internet.
....
F -8 &threadm=aokrr5%24lr9%241%40tux.netsite.dk&rnum=2& prev=/groups%3Fhl%3Dda%26lr%3D%26ie%3DISO-8859-1%2 6q%3Dwww.valus.dk%26btnG%3DGoogle-s%25F8gning
/Anders
On a chatboard hosted by the magazine www.computerworld.dk their safety was diguessed
Soneone posted that entering http://www.valus.dk/badscript.asp?x;shutdown would shutdown their server.
Anotherone could'nt resist testing whether is was a joke or not, so he entered the URL and the server shutdown... He tried it again the next day and it went down again
A few month later the police knocked on his door, confiscated his computer and he is now charged for "hacking".
The argue that he should have known that the above URL would shutdown the server (he was told in the chatboard) so it was a deliberate DOS attack !!
Try a search on groups.google.com for www.valus.dk
i.e
http://groups.google.com/groups?hl=da&lr=&ie=UT
or
http://www.snakeoil.dk/kommentarer/20021028-1
Circumvention of an effective access control device.
Having a "secret" URL could be considered an access control, if it is secret and sufficiently non-obvious, it would also be effective.
By determining that secret URL, they have bypassed the access control, despite the trivial method, this could be considered unlawful access.
Poor security is not equivalent to permission. But not taking reasonable means to protect yourself is irresponsible.
For example some insurance companys don't cover stolen cars if the owner left the keys in the car.
Thousands of readers of a popular, yet poorly designed open source friendly news relay site are being sued by the OSN for directly typing in the web server's domain, with out instead following a link to it.
Slay a dragon... over lunch!
There was a similar case in Australia a few years ago, so please forgive me for not going into great detail, as my memory is no longer photographic.
n ={his-tax-file-number} and wondered how good the security was. So of course, he types in another tax file number in the address field to test it.
It seems there was an Asutralian Government site for information about your tax status. You entered your tax file number (same as the US SSN), plus a little more information to verify your identity, and then were shown a page with some tax information of some sort.
One man noticed that the page he was eventually directed to was http://somethingsomething.gov.au/something.asp?tf
BLING! Someone else's tax information pops up! No security at all, someone had just dumped this simple database-access script on the web for all to see! He tells someone in the tax department (big mistake) about the security flaw and POW a piano falls on his head. Metaphorically speaking.
Are there any Aussies in the audience who remember any more details about this one? It was at least 3 years ago.. can't remember the final outcome.
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
> Reuters knew that it wasn't Intentia's intent to release that information (yet) but still persisted in obtaining and releasing it to the general public.
Unproven assumption. Reuters knew the URL it would be posted at, and kept looking at that URL until it appeared. Pecause it appeared on a public web server, they assumed it was published. Wrong, but how were they to know that?
Consciousness is an illusion caused by an excess of self consciousness.
Whitehouse
Washington D.C.
USA
May I please have the secret documents on taking over the world?
[Bush]Donald...You didn't actually send the documents did you?
[Rumsfield]Well...
...then it's public.
I'm thinking that Swedish company needs to access
http://intentia.com/get/thehell/over.it for an attitude adjustment.
This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
Please send your out-of-court settlement to: [suppressed]
--
bachiatari na torisetsu o yome!
I used to work at a company which used (at that time) a particular dynamic-content-management system (the name escapes me just now). At one point, one of the emails we received from a site visitor informed us that one of the big search engines had somehow (though no link existed to it ANYWHERE) managed to spider the admin page for that system... which was completely unprotected and included such information as our license key for this very expensive software.
To this day, I have no idea how that URL ended up on the search engine, but it just goes to show - if you want something protected, put a PASSWORD on it. Sheesh.
Or should we have sued the search engine for finding that link? Or the user who kindly reported it to us? Sorry, Europe. It looks like 'our' enjoyment of frivolous technology-lawsuits is starting to rub off...
... "I read part of it all the way through." -- Movie Mogul Sam Goldwyn (and some slashdot readers)
If I'm right, and if the judge sees it too, look for Intentia to win the case and get damages of $1...
Swedish courts traditionally award far less damages than their American counterparts.
Look for something more along the lines of 1 SEK (= 1/9 USD)
;-)
And if you ask me, thats a lot more than they are worth.
"First lesson," Jon said. "Stick them with the pointy end."
When I type in an URL like www.comics.com I am essentially
"guessing" that this URL exists and contains what I want. If
it doesnt I move on. Essentially any URL I type in is similiar
to this. Now, www.comics.com cannot put their most confidential
stuff at this page and then sue me for not following links.
(links from where?)
There is no rule that accessing pages that are available to my
web-browser are violation of privacy because the web server is
present exactly for that reason: sharing what you dont want to be private.
The bottom line in this case is very simple. Its _my_ freedom of action
to type in _any_ goddamn URL I want, in _my_ browser.
If some moron in their company doesnt know the difference between
their web-share drive and the company private drive, they need to fire him/her.
The company site quotes: "The incident has severely damaged confidence in us as individuals and in Intentia as a company" and I am amused by this. YES thats perfectly true.
Any company that handles up such a vital information in such a careless manner
DOES NOT deserve much confidence or credibility and they are just proving
themselves that they are morons. But instead of accepting their shortcomings
they are raving like an infant.
I think the key to their charge is the allegation: "The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters."
Which pretty much sums it up. Is it illegal to type in any url I want in my browser and
view the contents ? I just hope that the verdict is a slap in their face
and doesnt set any idiotic precedents.
DO NOT PANIC
By defintion putting a file in a "world readable" directory and setting the permissions to allow world access kinda implies that you don't care who reads this. Otherwise - why in the world would you allow this kind of access? If you place it in a world readable directory, you have no businness complaing the world can read it.
If religous zealots don't believe in Evolution, then why are they so worried about bird flu?
It's probably too late for this to do any google, but here's google's take on Secret Websites and URL guessing (from their webmaster's FAQ)
IMHO, If you put something out there, and don't restrict anyonymous access, the information is freely accessible. Access is implicitly given - you can restrict access, not grant it.If you blog it...
If you do a Google search for intentia results, at least one early entry points to the Intentia 'press room' containing an earlier quarterly results announcement. The announcement page itself does have a 24 bit hex ID number in the URL (BA45EE etc) that would be hard to guess for a new quarter. But on the announcement page is this link:
Now the URL (which no longer works, natch) of the PDF file being linked to: is extremely easy to extrapolate to subsequent quarters. I have no doubt that's what Reuters did , for this company and many others with similarly easy naming schemes and early uploading schedules. And I have no doubt that other journalists pull the same trick. In this case, a company with results they'd rather nobody noticed has jumped at the opportunity to change the subject.How could it possibly be considered private if it was accessable by url?
Well, your house is accessable by simply moving some little pieces of metal in the lock tumbler that are clearly accessable from the outside.
So by that logic, I guess the contents of your house are public.
Thats why you're stupid. Publically accessible webservers have one purpose, to publically give out documents. If you don't want something to be publically accessible, you don't put it on your webserver. House and store analogies are just stupid. Reuters asked their webserver for a document and they received it. There is nothing illegal or fishy there.
On three of those windows I have a big sign at the top that says "Jobs, Please Read" another with "Sales, Please Read" and another with "Press, Please Read". The windows are plastered with information that you would expect under those headings.
The fourth window is clear and has no sign.
One day I plaster an important and confidential message to the fourth window, in a lower corner and in a small font.
Are the passers by who bend down to read that message breaking any law or even any ethical code for that matter? If they talk about is it wrong?
I agree with you completely and have made this same point on the deep linking issue.
The plaintiffs in this case chose to hook up a server to a network. They chose to assign it an IP and a DNS name to facilitate network connectivity. They chose to install web server software. They chose to configure that software to respond to HTTP requests for files on port 80 of their outside IP. They chose to start their web server. They chose not to use any of the myriad of standard security mechanisms such as firewalls, authentication, access controls, encryption, etc... that could have secured their file. They chose to put the file in question in the directory the web server was configured to publish to the outside world.
Then Reuters asked for the file via an HTTP GET request and the machines followed the instructions they were given and provided the file. It's kind of sickening that this argument isn't laughed out of court.
While Galeon very well may, Mozilla does not have an up button. However there is a feature request [mozilla.org] for one open in the bug tracking system. If you want it too, help fix it or at least vote for it [mozilla.org]!
There has been an up bottom for quite a while.. perhaps you just didn't recognize it or something.
You are absolutely correct, and I verified this using Google.
Do the following:
Search on "Intentia quarter results" (no quotes)
click on Cached for "[Intentia] Intentia's Second Quarter Results 2002"
Find where it says "::: read the full report" and look at the URL.
It's not only not illegal, but it's common sense. It's as if Intentia was saying "This is where we put our quarterly results, so come back here later and get the Q3 results when available."
Send them an email, and tell them how stupid they are. Unless you actually believe this was an intential marketing ploy (which it may be).
Am I the only one who tried this URL?
Yes. Loser.
Nope, no sig
Am I the only one who tried this URL?
No. I am such a loser.
Nope, no sig
Think hard about AC's question... they are both URIs that are typed in, and both produce undesirable (for the server owners) results.
True, AC's might exploit a flaw with the server itself while the one in the posted story simply access unlinked content, but how would one explain that to a non-technical user like a typical judge/jury?
Either way, this could turn into a bad, bad precident.
The problem here is that Financial data with the Company's credentials are being released to the Public, at a time not of the Company's choosing.
If the person who discovered the information kept it private, but made stock trades with the Company, we call that Insider Trading, and the person would face jail time. In this case, the person discovered the file, and released it under the guise of being "official", simply because it was located on (a non-referenced portion of) the Company's site. In effect, Reuters was pretending it was an official release.
A secondary problem is that a production system (the external web) is being treated as a test environment, by loading data into the folders but not linking to them. Anything on a production system can be accessed by anyone, and if the Company was not ready for that data to be accessed, then it shouldn't have been placed on the server until the minute they were ready to release.
Here's another scenario: Suppose a week ago, the Company began setting up for their earnings report. They put a copy of their earnings on the web, but did not link to it. In the mean time, the data became stale because of an error discovered in accounting. The file was not updated, because it is not linked to, so the world does not know it exists. Reuters now guesses the file, and publishes the link. The data is an unauthorized release of stale data, but it is being published by a source claiming it is official data. Outside investors would see the stale data, and would make costly financial decisions based on the (unknowingly false) data. The Company's stock could plummit, and severe losses could ensue. Plus, under recent disclosure laws, the Company's CEO could face stiff fines/jail for falsifying data.
So, both groups are guilty, the webmasters for not securing the data, and Reuters for unauthorized disclosure. I agree they should be sued, not for the simple act of "linking", but for falsifying the announcement of an earnings report, and let the SEC sort this one out.
Interesting. I'm under the lawyer-induced opinion that content deliberately made accessible via a URL on a publicly available server is just that, public. The URL is key, of course, the argument being that if no URL points to something, that "something" remains private.
That falls apart when other files, not meant for public consumption, stashed in the same file system, are accessible via a little creative editing of a published URL.
Is it a privacy violation to go fishing on a public server to see what else is lurking there?
-- Slashdot: When Public Access TV Says "No"
And the guy who took it from the shoe did steal it. It is called "conversion" and the owner is entitled to sue to recover the property.
Technically you are correct, the legal term for this is "conversion". And the legal term for people who don't secure their valuable property is "dumbass".
My college protects grades a similar way before they're released, last semester I started publishing a form in my web space (hosted on their server :)) that allows you to get your grades (presumably) as soon as they're scanned in, several days before their intended release. I don't know if anyone on staff noticed and/or cared; it may be that the official release time is just there to prevent complaining about "she got her grades before I could". All that was required to make the form was stripping down their grade submit page and changing one of the options in a select.
The company puts their earnings report in a tree trunk in the woods. Reuters tells the world wheret to find it.
The action of telling the world can hardly be illegal. Possibly the way the information was originally obtained could be.
Tor
...don't play on the interstate.
If you don't want people to see your internal company data, don't put it on the Internet.
Got it boys and girls? Yes? OK, now we can have milk, graham crackers, and naptime.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
"can we assume that anyone who accesses that page has some sort of unauthorized information?"
This word "unauthorized" seems to get thrown around whenever a company doesn't like how something is used. My objection to it is that its use supposes that the company has the power to grant or deny authority to us. Reuters doesn't need to be authorized by Intentia to try undocumented URLs, nor to view public html. We don't need Sony to authorize us to play imported games on consoles that they made but we own. We don't need a studio's authority to play DVD's from a different region. You don't need Microsoft's authority to load Linux onto your X-Box.
Unfortunately, courts and other powers seem far to willing to buy into it and rule against "unathorized" actions.
Don't moderate flamebait as Troll. Know the difference or you will be Meta-moderated.
I suggest you install Diggler if you want to navigate to parent directories.
From The Register article:
However Intentia isn't alone in its accusations. Three other Scandinavian companies Nordea, the region's biggest bank; Fortum, the Finnish energy group; and Sweco, a small Swedish consultancy also claim that their results were published by Reuters ahead of their official release, the FT reports.
The obvious conclusion from this... is that Reuters is in posession of a time machine.
I'm going to hunt you down...
::glowers::
Posting AC cannot save you.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
internia does ebusiness.
is anyone else scared by this?
2 1337 4 u!
Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report that they sent to Reuters with an accompany post-it note that said "please publish me". The catch? The report couldn't be accessed unless you understood an obscure and arcane code called "the English language". The precedent this case sets will be interesting. If you write a report in a language that has no native speakers that actually use it correctly, can it be considered public?
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
www.my.com/report2000.pdf
www.my.com/report2001.pdf
and the world is waiting for 2002 report, would it really be a surprise when millions try to download www.my.com/report2002.pdf one day before the actual release? Come on, _everybody_ would do that. Perhaps one should sue Intentia for violating some stock exchange rules by not protecting the data.
Technically speaking, I'm very familiar with the server platform they use (Domino) and it's extremely secure (NSA, CIA, etc use it). For them to characterize this as a 'break in' is stretching it a bit. Domino provides security from server level down to individual user roles and fields. It's very simple to secure a file or page. Additionally, the standard procedure is to not replicate data you don't want made public to an external box, just in case you forget to secure a document.
For those of you interested in the technical/legal issues of 'publishing' the link, let's not forget that Domino has a few well-known powerful facilities to search and index content on a site... (ie: ?SearchView)
Domino Developers Site
Search URL Syntax
Documentation on R5 Search
Documentation Library
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
A few months ago I guessed the URL to the then-new Star Trek Nemesis teaser from Apple's site ten minutes before their trailer page was updated to access it, ensuring I got it at high download speed before the masses linked in and slowed everything down.
Guess I'll be expecting a court summons soon...
1. Everybody visit Intentia's site right now, taking note of the fact that they prevent your browser's BACK button from functioning.
2. File criminal charges against them for hacking your computer.
Favorite line:
Like they aren't doing enough of that on their own. Presumably they have research that backs up their damage claims. Yeah, right.
chmod 100 file.pdf and chown root file.pdf - then either chmod/chown it back manually or write a cron job to do it.
wrap the file in a php file that checks the date first (the pdf would be outside the server root and the php file would write a few headers and then spit out the file)
Don't put it on the site until it's really time to be public!I've known people who put new versions of websites in subdirectories called "beta" or something equally simple, and other people who wrap links to "secret" files in <font color="#FFFFFF"> tags. Security through obscurity is inexcusable when there are very simple techniques that will greatly improve security.
I really hate signatures, but go to my website.
To follow this analogy:
It would be like catching a bunch of people skinnydipping in the local river/lake/whatever (someplace public) and yelling it out to everyone, perhaps calling it in to the radio etc.
As for legality (ignoring the non-issue legality of public nudity Vs public website) I'm not sure if it would be illegal to let this info out
- Publishing the website address: No hacking.
- Obtaining the website adddress if there wasn't a publicly visible URL: No hacking
- Obtaining the website if it came through a call-home frm google toolbar or similar tool: no hacking (has discalimer providing info on what it does)
- If somebody used a vulnerability in a site or PC to obtain information on the address in question: There is the hacking
All the rest would go somewhere else in the legal areas, perhaps damages for compromising their financial information before release time (with demerits to Intentia for stupidity in not sticking anSomething like when you know dialing "0" in an automated phone system often leads to a direct operator. The annoy-a-voice prompter may not tell you that 0 works (or at least not until later), but you can still hit it beforehand...