Slashdot Mirror
Reuters Accused Of Hacking For Typing In URL
Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."
Here's a related thread from yesterday.
It could have easily been protected by .htaccess or whatever. So, they have no case. Let's hope Reuters won't budge, and the judge will have a clue.
Quotes are from Intentia's press release concerning the investigation.
"Reuters News Agency Broke into Intentia's IT Systems"
I would not call it breaking in to surf on someones homesite.
"there was an unauthorized entry via an IP-address belonging to Reuters"
What do they mean, do I have to call them and ask for permission before accessing files publically available on their homesite?
As Reuters didn't steal anything, but simply pointed at on open window (that they found) I would have to say that their act was not illegal. What they should investigate is their internal safety policies, because they need a revision or two (IMHO).
It's not about the existence (or not) of the link, but the source of the URL. While I don't agree with it, I think what they are saying is that if a site doesn't publish a URL (usually through a link, but could be in print, etc) it is not public information and accessing it is unauthorised access. This is the same attitude (if not specific issue) that has a problem with deep-linking too.
Free Java games for your phone: Tontie, Sokoban
Well I do it all the time when browsing pr0n. Suppose you have an url like this one : http://www.hotteenchick.com/free/tgp/melanie08/mel anie08.html,
it doens't take long to figure out where the other pics are.
If the publishers of the resource wanted to limit access to the resource they could add authentication, referer checking, or a timestamp check - anything, really. Since they did not, I fail to see how they can have a case.
"Security through obscurity", like having a non-linked but available resource, is self delusion.
In some areas of law, it's unavoidable drawing fuzzy boundaries and considering intent. However, in this case, anybody who wants to protect their information on the web easily can, using standard web access control schemes; they don't need to rely on using obscure URLs. Let's not burden the courts with this.
This is part of a more general and disturbing trend, where lazy system admins don't spend the time set up their systems correctly, or management hires incompetent and cheap staff, and then try to use the court system and police (i.e., taxpayer money) to make up for their own shortcomings.
"The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB."
Um, yeah. If you cant tell the difference between 'storing confidential data in an access controlled place on your internal network' and 'storing confidential data on an open-for-all external site' it sure will damage my confidence in Intentia as a company. Incompetent is a fairly fitting description.
Repeat after me:
If you don't want people to read something, don't put it on the Internet.
Please correct me if I got my facts wrong.
First, Reuters' position would probably be that the data was on a public network which was in plain view as long as the url is typed in. I myself do this all the time, why go to www.microsoft.com, click once on support, then click on download when I know the url I want is www.microsoft.com/download. It saves time and trouble. However their "accidental" stumbling upon of this data, which is far more important than anything I'd ever likely find on accident would most likely not fall into the same category. IANAL, but at the same time I would argue that anything they don't want leaked shouldn't be put online anyway, and espically without any security.
However, I can see Intentia International's point of view. What's to stop someone from simply hitting their webserver with every alpha-numeric combination possible. They'll eventually come across the correct one for some piece of information which had gone previously undiscovered because it was to be placed up at a time which was decided by Intentia or any other company for that matter. I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password. And, scarily enough if they showed a direct relationship between all pages not yet linked and their corresponding URL perhalps a big fat DMCA case might come about if Reuters or someone figured that "~a2eslcf" meant "third quarter" in some sorry 2 bit encryption.
Here in Denmark we have a similar (but more serious) case. A micro-payment system called Valus owned and developed by a Norwegian bank (Den Norske Bank) was "hacked" on its premiere day by typing in a simple URL with the command SHUTDOWN at the end. The link to do this was published on an online debate forum and several people tried the link (although it had a warning that you should not try it:-). The problem was missing input validation (maybe the most basic security issue). Until now five people have been taken to court - one of them being the "mastermind" who posted the link. As a reaction to this behaviour Valus has been reported to the state agency for protection of personal data (Datatilsynet) for not securing personal data.
The company homepage, www.corp.com, is like the main switchboard number, say 555-1000.
URL's reachable through the home page (www.corp.com/foo/bar) are like internal extensions you can find through the voice menu system (555-1357).
The link with the earnings report is like an extension (555-2468) not on the voice menu, that came off somebody's business card or answering machine or some unknown channel.
That's it. Reuters is being sued over something very much like calling an unlisted direct phone number inside some company. How they got the phone number is, well, irrelevant. They're a news organization, they have reporters, whose job is digging up info like phone numbers.
Deep linking works the same way for anyone else too, of course. Like duh, if you don't want something to be reachable without going through the switchboard, don't give it a direct number exposed to the outside world.
It depends on how you define hacking... if they had no inside information about the URL, then yeah, guessing the URL would be a type of hacking but, I don't believe, one that could be punishable by law. For example, if I put an object I own in a public place... say, some place where the object is hidden but could be found if somebody was looking for it. Then a couple days later it's gone... is that theft? Sure, but, again, I don't think it can be punished. One of those "you should have known better," examples.
sig.
Stockholm, Sweden -Intentia International (publ.) announces the results of its internal investigation launched due to circumstances around the fact that Reuters published Intentia's fourth quarter results for 2002 prior to the scheduled publication on October 24th. "The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.
The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters using an exploit in the web server. The entry took place at 11:51 pm on October 24th 2002, prior to the publication of the interim report for the fourth quarter of 2002. At approximately 12:57 pm, Reuters published the first news flash giving information on Intentia's third quarter result, without prior confirmation from the Company. Intentia issued its earnings report ahead of schedule at 1:22 pm that same day. "The incident has severely damaged confidence in us as individuals and in Intentia as a company, and has cost millions of dollars worth of damages" says Björn Flänsost, CEO of Intentia International AB.
"We question the methods used by Reuters, and our judgement is that we have been the target of illegal actions. As a consequence we will file criminal charges regarding the incident, and will seek the maximum penalties for all those involved" says Björn Flänsost.
On Thursday, Intentia contacted the Stockholm Stock Exchange regarding an internal investigation of the incident. "We will disclose to the Stockholm Stock Exchange all technical details on how the intrusion was made, which will allow them to share this information with other listed companies, so that actions preventing similar events in the future can be made," concludes Björn Flänsost.
"The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.
While most everyone here will agree that Reuters at worst could have their actions describe as exploiting Intentia's utter stupidity, quotes like this show how little some people know about computers. This guy obviously thinks that just because they didn't provide an explicit hyperlink that the data on their server is "confidential." What I fear is that some non-technology savvy judge will actually follow this same train of thought and rule against Reuters. Is this ridiculous? Yes. Is it unfortunately all too real of a possibility? Yes as well.
PS - I checked Netcraft and they are running Windows 2000. Is it any surprise that their security guys would believe that data freely available on their server is secure if they also think a server on Win2k is secure in the first place?
AFAIK: There hasn't been a case like this in Scandinavia, so it could be interesting to see the outcome. Having read quite a lot of Norwegian and Swedish judgements on the subject, I think Intentia don't have a case as long as Reuters did not break any protection to get the documents.
Funny stuff, this.
I'm going outside, right now, with copies of some of my own financial statements.
I'm going to throw them onto the Main Street sidewalk, and stand just near enough to the pile that I can serve hastily-drawn lawsuit papers to anyone who dares to look.
The documents are undeniably my property, after all. Nobody has the right to see them unless I erect a big fucking sign pointing them out, even if they are scattered about a public walkway.
[Moral for the sarcasm-impaired: If you don't want your information to be public knowledge, now or ever, don't let it be publicly available. At all.]
Kid-proof tablet..
Actually, this does raise an interesting question. If a page is put on the web that cannot be spidered, and cannot be reached from any publicly available page, can we assume that anyone who accesses that page has some sort of unauthorized information? I have never heard of hackers systematically trying IP addresses for content. And it is in fact likely that Reuters got the info from an employee... in violation of the employment agreement.
This should be a fascinating case, and not nearly as easy as the writeup makes it seem.
Thalia
In other news, dialing unlisted phone numbers without the express written consent of the number's owner is now a criminal offense.
Krikey. I just don't know where they find people this stupid. Same goes for this deep linking crap. Maybe people should have to pass some sort of test before they get to use the Internet. Otherwise the have to use AOL until they at least understand that anything you post to the web could be publically accessible.
What Reuters did exposed the company to a situation before they were ready.
Which is precisely what you'd expect them to do, Reuters being a press agency and all.
I court I hope Reuters don't get busted for accessing the information, but for publishing details about it.
Damn straight. If it weren't for those goddamned financial journalists, I bet Enron would still be trading today. The freedom of the press has got no business interfering with our right to earn a dishonest dollar.
After all I'm sure that the company in question had a copyright notice on all their pages, right?
So what? Do you really believe Reuters breached their copyright in the report?
Get a jar of glue, man.
For the record, there was a case recently here in France where a judge ruled in favour of a person who hacked the website of Tati, a retailer. In fact the only tools the hacker used were a regular browser, and the information was insufficiently protected. French speakers can read more here. Google should be able to help the others :-). While this case isn't the same, in France this has made jurisprudence that information that isn't protected at all from basic navigation tools, can't be considered to be "stolen", even if the original intent was not to publish it.
Try NetBSD... safe,straightforward,useful.
A few years back someone found they could get other people's details from the Australian Tax Office's site by manipulating the URL (that's the impression I got anyway). An ultra-quick googling turned this up. What happened to this guy? I can't remember. All I can remember is that he sounded really embarrassed when he was being interviewed and was referred to as a "hacker".
---
Yeah, well, that's just, like, your opinion, man.
If they were to prosecute in the UK - I note Reuters replied to the allegations from their London HQ - here's what the law says:
So, it's quite straightforward really - if they can prove Reuters knew they weren't supposed to be looking at that material, then if the access was from the UK, a crime was committed.If Reuters can argue they didn't know the material was private, there is no case to answer.
Going back to the points some others have made about the information being publicaly accessible with no .htaccess protection, clearly this doesn't matter. If, for example, you were to make a clcik through that had to be viewed before you could see any of the content that stated the information was confidential then someone not supposed to be viewing it would be committing a crime to do so.
IMHO this PR stunt is an attempt to take the eye off their not so good results. According to the report Intentia's revenues declined by 14% during the period Jan-Sep 2002 and their operating margin is very close to ZERO.
IANAL, but I think they're stepping on thin ice because report was already uploaded to public accessible server and thus it should be considered published. Even if there was no hyperlink pointing to it Intentia didn't take any protective measure to restrict the access to the report. Reuters didn't have to circumvent any security measures so they can be hardly accused of hacking. And since the report was on public server they can't be accused of unathorized access. Another possible scenario is that Reuters've got the information about the document location from an insider, but the report was already accessible by public so i can't see any wrongdoing.
Which roughly translates to: 'we want to use the internet securely'.
They then put some confidential information on their public website, and sue the first people to read it
Please note that they are using Lotus Domino as their web server. This means that there are no physical directories that you can chmod or "look into".
The URL contains the Domino internal document ID (similar to a GUID) and I still can not understand how Reuters "guessed" that. Sounds to me like this is an internal leak...
Our vision is to become the leading global collaboration solutions vendor by supplying our customers with tomorrow's solutions today.
Well as I see it Reuters only kept in line with their philosophy. So why are they pissed?
All these companies seem to think that the Web is like a magazine: their neat little layout is all anyone should be allowed to use. But they forget that the Web was intentially designed to facilitate deep linking and URL-typing for the purpose of transparent information exchange. They don't get to decide the layout and presentation of the data once they publish it so that it is accessible through an URL.
There is nothing about implicit permission to view here. I assert that they are EXPLICITLY granting permission to any and all to view the document when they publish it via a non-password protected URL.
That is the very foundation of the Web...without it we have interactive television.
I completely disagree.
From what I gather from the posts on here, it seems that these guys have a webserver with little to no security on it. If you use a basic webcrawling program, it likely jumps from link to link, which is what we expect AOL users to do online. However, a good web crawler will also check the directory by default as well, to see if there is an index (I've seen some of this in MY referrer logs).
Given that this was sensitive data, it should have been protected. Claiming that it was by not publishing the URL is like sticking it in a window of a building with thousands of windows. Eventually someone may see it.
Your analogy of the credit card numbers would be valid IF they had swiped a password to get to that point. But the server didn't ask for authorisation by any means. It was happy with a basic URL. There's nothing ultra-special about the URL to suggest that it's attempting to be hidden either. I doubt the location was intended to change, but to just be linked to.
Basically, Reuters has provided good reporting using the skills available to anyone with a decent wewbcrawler who has a set list of websites to follow. And if they didn't get it that way but got it through an anonymous tip, that's classic reporting.
The power of accurate observation is commonly called cynicism by those who have not got it. - G.B. Shaw
Isn't it possible that Reuters had a bookmarked link to this URL? I know they say that it was unpublished, but maybe they had done redirection in the past, and Reuters bookmarked the redirected URL?
While it may not be illegal to actually view and read this information, its potentially creating a conflict of interest for investors. If this was an earnings report published before its intended publication date, people will trade off that information. This could create a situation similar to insider trading.
And regardless of this, if it is proved that Reuters did this intentionally, they are totally at fault. They know this information affects the markets, and that the information gives their clients a (potentially unfair) competitive advantage.
If Intentia had an obvious Earnings Report or financial press release procedure, Reuters should know they will potentially be held responsible for releasing false information.
What if this wasn't the final Earnings Report? Than Reuters would potentially affect the trading of Intentia stock based on false information...
"The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.
Yeah - no shit Sven, IT blunders with sensitive information tend to do that.
But hey, just to make sure that everyone's confidence in your company is shattered, why don't you do the American thing and file a 'It can't possibly be my fault' lawsuit.
__ Someday, but not this morning, I'll finally learn to use the preview button.
...a script kiddie managed to hack into Hotmail's servers using a widely distributed hacking tool known as "Internet Explorer". The hacker typed the "URL" into the "Address Bar" and gained access to the site.
From here, the hacker sent emails to a number of associates which read: "| 4m teh 1337 |-|aX0R!!!!!1 j00 4LL ArE Cr4P!!!"
"Frankly, we're shocked," said one Hotmail employee. "Who would have thought that URL's would give access to sites on the interweb?" he continued before returning to his task of spamming Hotmail's users.
The FBI are investigating the hacker, rumoured to be in junior high, as well as the distributor of the hacking software, a small company known as MicroSoft, already known for flouting the law. Updates as they come to hand.
The closest 'real-world' situation that I can imagine is someone sat in a public place reading a document with "Top Secret" written on it. Would this document be considered "public property" as the person was reading it in a place where anyone could easily read it over there shoulder?
Here's another deep link to Intentia
__ Someday, but not this morning, I'll finally learn to use the preview button.
http://www.intentia.com/w2000.nsf/files/kjafd_0210 _us.pdf/$FILE/kjafd_0210_us.pdf
Now will someone who reads the relevant language tell me what, if anything 'kjafd' means? Links to other reports were all in a very similar vein, although the 'kjafd' part changes in a nonobvious pattern.
"Evil company X is threatening to restrict our rights! Let's all get together to stop--OOOH! SHINEY!!!" -- AC
Frankly, this is a pretty bad way to get your name out - an IT company that doesn't understand the web any better than this? I wouldn't hire them to do anything, they sound totally incompetent. But they say any publicity is good publicity...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Publishing an earnings report before the company announces it is still rude, even if it's not technically illegal. I hope this case is thrown out, so as not to set a precedent, but I think it was a lousy thing of Reuters to do. It's one thing to guess URL's and obtain advance information for your own personal use; it's quite another to publish it to the rest of the world.
-John
There was a similar case in Australia a few years ago, so please forgive me for not going into great detail, as my memory is no longer photographic.
n ={his-tax-file-number} and wondered how good the security was. So of course, he types in another tax file number in the address field to test it.
It seems there was an Asutralian Government site for information about your tax status. You entered your tax file number (same as the US SSN), plus a little more information to verify your identity, and then were shown a page with some tax information of some sort.
One man noticed that the page he was eventually directed to was http://somethingsomething.gov.au/something.asp?tf
BLING! Someone else's tax information pops up! No security at all, someone had just dumped this simple database-access script on the web for all to see! He tells someone in the tax department (big mistake) about the security flaw and POW a piano falls on his head. Metaphorically speaking.
Are there any Aussies in the audience who remember any more details about this one? It was at least 3 years ago.. can't remember the final outcome.
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
> Reuters knew that it wasn't Intentia's intent to release that information (yet) but still persisted in obtaining and releasing it to the general public.
Unproven assumption. Reuters knew the URL it would be posted at, and kept looking at that URL until it appeared. Pecause it appeared on a public web server, they assumed it was published. Wrong, but how were they to know that?
Consciousness is an illusion caused by an excess of self consciousness.
By defintion putting a file in a "world readable" directory and setting the permissions to allow world access kinda implies that you don't care who reads this. Otherwise - why in the world would you allow this kind of access? If you place it in a world readable directory, you have no businness complaing the world can read it.
If religous zealots don't believe in Evolution, then why are they so worried about bird flu?
It's probably too late for this to do any google, but here's google's take on Secret Websites and URL guessing (from their webmaster's FAQ)
IMHO, If you put something out there, and don't restrict anyonymous access, the information is freely accessible. Access is implicitly given - you can restrict access, not grant it.If you blog it...
If you do a Google search for intentia results, at least one early entry points to the Intentia 'press room' containing an earlier quarterly results announcement. The announcement page itself does have a 24 bit hex ID number in the URL (BA45EE etc) that would be hard to guess for a new quarter. But on the announcement page is this link:
Now the URL (which no longer works, natch) of the PDF file being linked to: is extremely easy to extrapolate to subsequent quarters. I have no doubt that's what Reuters did , for this company and many others with similarly easy naming schemes and early uploading schedules. And I have no doubt that other journalists pull the same trick. In this case, a company with results they'd rather nobody noticed has jumped at the opportunity to change the subject.The "hacker's" own version of the story is here. The report written to "datatilsynet" by a security expert is here. And the response is here. The case has been discussed on usenet in the two groups dk.edb.sikkerhed and dk.videnskab.jura, and on the discussion forum related to a weekly computer newspaper. But all of this is in Danish, I don't think much has been written in other languages about this case.
Do you care about the security of your wireless mouse?
My college protects grades a similar way before they're released, last semester I started publishing a form in my web space (hosted on their server :)) that allows you to get your grades (presumably) as soon as they're scanned in, several days before their intended release. I don't know if anyone on staff noticed and/or cared; it may be that the official release time is just there to prevent complaining about "she got her grades before I could". All that was required to make the form was stripping down their grade submit page and changing one of the options in a select.
...don't play on the interstate.
If you don't want people to see your internal company data, don't put it on the Internet.
Got it boys and girls? Yes? OK, now we can have milk, graham crackers, and naptime.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
From The Register article:
However Intentia isn't alone in its accusations. Three other Scandinavian companies Nordea, the region's biggest bank; Fortum, the Finnish energy group; and Sweco, a small Swedish consultancy also claim that their results were published by Reuters ahead of their official release, the FT reports.
The obvious conclusion from this... is that Reuters is in posession of a time machine.
Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report that they sent to Reuters with an accompany post-it note that said "please publish me". The catch? The report couldn't be accessed unless you understood an obscure and arcane code called "the English language". The precedent this case sets will be interesting. If you write a report in a language that has no native speakers that actually use it correctly, can it be considered public?
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
www.my.com/report2000.pdf
www.my.com/report2001.pdf
and the world is waiting for 2002 report, would it really be a surprise when millions try to download www.my.com/report2002.pdf one day before the actual release? Come on, _everybody_ would do that. Perhaps one should sue Intentia for violating some stock exchange rules by not protecting the data.
Technically speaking, I'm very familiar with the server platform they use (Domino) and it's extremely secure (NSA, CIA, etc use it). For them to characterize this as a 'break in' is stretching it a bit. Domino provides security from server level down to individual user roles and fields. It's very simple to secure a file or page. Additionally, the standard procedure is to not replicate data you don't want made public to an external box, just in case you forget to secure a document.
For those of you interested in the technical/legal issues of 'publishing' the link, let's not forget that Domino has a few well-known powerful facilities to search and index content on a site... (ie: ?SearchView)
Domino Developers Site
Search URL Syntax
Documentation on R5 Search
Documentation Library
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin