Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reuters Accused Of Hacking For Typing In URL

Posted by timothy on from the permission-granted-or-denied dept.

Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."

42 of 563 comments (clear)

  1. Related: what about referer logs by jukal · · Score: 5, Interesting
    What if you get the link for the yet unpublic page from the referrer logs of your own site, for example www.reuters.com -logs. Would using that information be criminal?

    Here's a related thread from yesterday.

    1. Re:Related: what about referer logs by technix4beos · · Score: 5, Interesting

      If their webserver is attached to the internet in any way, then anything it is "serving" is fair game, and should thus be protected appropriately.

      This story sounds like someone got careless, and didn't lock down the folder the data lived in.

      Sounds also like someone (their admin?) is trying to cover up the error by reporting to his (clueless?) bosses that obviously it was hacked, else how could they -ever- get that information, right? (yeah, right.)

      Perhaps the admin should check out this handy url and order his copy soon.

      http://www.amazon.com/exec/obidos/tg/detail/-/18 61 007221/qid=1035883929/sr=8-2/ref=sr_8_2/104-261132 8-8021524?v=glance&n=507846

      I know I did, and it's invaluable.

      --
      user@host$ diff /dev/urandom /dev/uspto
    2. Re:Related: what about referer logs by gazbo · · Score: 5, Insightful

      No, Googlebot needs a link. If it is inaccessible through hyperlinks, Googlebot won't even know it existed. Of course, if it followed Reuters link then it would have found the report, but then that's the whole point of the legal action, isn't it?

    3. Re:Related: what about referer logs by Kierthos · · Score: 5, Interesting

      Thing is, Reuters didn't just "look". They published. Which, using the same analogy, would be looking into your house, and reporting to any and all passers-by what was going on inside.

      Furthermore, there are "Peeping Tom" laws for residences and businesses. So, even looking in, if I leave the blinds up, can be illegal.

      Kierthos

      --
      Mr. Hu is not a ninja.
    4. Re: Related: what about referer logs by Black+Parrot · · Score: 5, Insightful


      > While I'd normally agree, if its protected by some kind of protection (htaccess) - even if its really weak, accessing in would be cracking, same as if a door in a house is open, you still cant nick the TV.

      No, the correct analogy is "if you stand naked in your doorway you can't complain about everyone seeing your naughties".

      --
      Sheesh, evil *and* a jerk. -- Jade
    5. Re:Related: what about referer logs by Xentax · · Score: 5, Insightful

      I'm not an expert on Search Engine Backends (IANA...ahh screw that).

      But, wouldn't most search engines also at least try to grab index.html on directories in which they've found other files?

      Of course, I doubt that's what happened here. From what I can tell on the "victim" website, Reuters just guessed what the URL for the report would be. Who hasn't done that before, in some way or another (e.g. guessing what a broken URL was supposed to be)?

      There's clearly NO access control here, except a shining example of how security through obscurity is NOT security at all.

      Xentax

      --
      You shouldn't verb words.
    6. Re:Related: what about referer logs by NotesSauceBoss · · Score: 5, Informative
      Domino on its own doesn't have a web server you need to use and can use Apache, IIS, or WebSphere with domino.

      Wrong. A Domino server out of the box includes full HTTP services. This is part of the generic install. No additional HTTP software is needed, although you *can* configure Domino to use an alternative HTTP stack if you prefer.

      Why isn't there a moderation setting for "incorrect?"

    7. Re:Related: what about referer logs by tzanger · · Score: 5, Informative

      No, Googlebot needs a link.

      No, it doesn't.

      Google plays tricks with servers. With apache, for instance it tries the venerable www.site.com/?M=A and ?S=D, ?N=A etc. tricks. If Apache isn't locked down, it'll happily bypass index.html and give you directory listings, and then spider any subdirectories using the same method. I had several of my unpublished directories found by google this way.

    8. Re:Related: what about referer logs by schon · · Score: 5, Insightful

      Thing is, Reuters didn't just "look". They published. Which, using the same analogy, would be looking into your house, and reporting to any and all passers-by what was going on inside.

      Except that my house isn't a public place.

      The report was put in a PUBLIC location. Therefore it's up to them to restrict access. Simply "not telling anyone" isn't restricting access.

    9. Re:Related: what about referer logs by Qrlx · · Score: 5, Interesting

      What about the Google toolbar? I'm not sure what that thing is all about, BUT...

      I was running the Google Toolbar, and I had some un-linked content on our live web server. Then my boss just happened to be searching for some of that info on Google, and bam! The "secret" pages on our web server show up! Content that was indeed on the web but did not have any outside hyperlinks pointing to it was being cached by Google.

      How did Google find it? The only thing I can think of is that the Google Toolbar noticed that I went to that unpublished URL and "phoned home." (By the way, the web server is running IIS 5.0/Windows 2000, so I doubt those Apache tricks would work, though there must be similar tricks for IIS.)

    10. Re:Related: what about referer logs by Dudio · · Score: 5, Informative

      If you have Page Rank and/or the Category button enabled in the Toolbar, it definitely "phones home" to Google WRT which sites you hit. This is explained during setup (IIRC), and in the options page where you can change enable/disable these features. Check out Google's Toolbar Privacy Policy for more info. on this.

    11. Re:Related: what about referer logs by Klaruz · · Score: 5, Insightful

      No, this is like walking into a company's public library and finding a book on a shelf in the corner that wasn't in the card catalog.

      Whine and moan all they want, they still stuck it in a public place. They should have stuck it behind a locked closed door. Then it's secure. If you bust open the door, that would be a crime. Finding something sitting in a public place that's not advertised is not a crime.

  2. Stating the obvious by Bartmoss · · Score: 5, Insightful

    It could have easily been protected by .htaccess or whatever. So, they have no case. Let's hope Reuters won't budge, and the judge will have a clue.

    1. Re:Stating the obvious by MalleusEBHC · · Score: 5, Insightful

      A store can easily be protected by purchasing video cameras. That doesn't make it legal to burglarize a store that just uses lock-and-key.

      The problem with your analogy is that they didn't even use a lock and key. Their doors were open for business and now they are getting mad that someone came in before they could put up the big neon "OPEN" sign.

    2. Re:Stating the obvious by SmallFurryCreature · · Score: 5, Insightful
      The analogy is I think fundamentally flawed. It is more like peeping. Did reuters go to extra ordinary lengths to peep in on data that the plaintive could reasonably have expected to remain hidden?

      People walking by in the street can not be charged with peeping if they see you walking naked in youre house. Not even if they have to turn their heads to do it. Simply claiming that since you are doing it in youre own house you are supposed to have privacy is not valid. You have to draw the curtains for the expectancy of privacy to be granted.

      Now the question is, did they have the curtains drawn. I personally think not. It will be intressting to see what the law has to say about it.

      --

      MMO Quests are like orgasms:

      You may solo them, I prefer them in a group.

    3. Re:Stating the obvious by passthecrackpipe · · Score: 5, Interesting
      I don't think this is about security, or .htaccess, or typing a URL, or anything technical whatsoever. This is simply a company that is being *extremely* clever when it comes to Marketing.

      Yesterday, I, as an IT professional that makes purchasing decision for a large organisation, had never heard from this company. Now I know they make Collaborative Solutions. All it cost them was a bogus courtcase with Reuters.

      This is clever marketing, nothing more, nothing less. Anyone can spot the lack of merits of this case from a mile away. Brand and name recognition of this company is soaring though. I wonder how their stock price is taking it?

      --
      People who think they know everything are a great annoyance to those of us who do.
    4. Re:Stating the obvious by Sancho · · Score: 5, Insightful

      This case is actually symptomatic of a much larger problem that the US (and the rest of the world, from the looks of it) face: using the courts and your clout to cover up your mistakes. It seems like it's gotten to the point where if something happens that you don't like, you sue someone. Doesn't really matter who. Filing a suit has become a method of saying "We did nothing wrong, in fact we were wronged." even when in many cases this is simply untrue.
      This company clearly messed up. A news agency got some information (and not by hacking!) and published it. The information wasn't fraudulant. If it was false, it wasn't with a disregard for the truth--after all, it was in a document on the company's website. But the company in question didn't like the fact that the information got out, so they sue the news company.

      Forget terrorism and its effect on "free speech and free press" (right now a mostly US-centric concern) the real danger is big budget corporations who have the money and time to spend taking you to court because they didn't like what you had to say. It's scary, folks, and it's not getting any better.

  3. Stupidity by e8johan · · Score: 5, Insightful

    Quotes are from Intentia's press release concerning the investigation.

    "Reuters News Agency Broke into Intentia's IT Systems"

    I would not call it breaking in to surf on someones homesite.

    "there was an unauthorized entry via an IP-address belonging to Reuters"

    What do they mean, do I have to call them and ask for permission before accessing files publically available on their homesite?

    As Reuters didn't steal anything, but simply pointed at on open window (that they found) I would have to say that their act was not illegal. What they should investigate is their internal safety policies, because they need a revision or two (IMHO).

  4. mandatory pr0n reference by stud9920 · · Score: 5, Funny

    Well I do it all the time when browsing pr0n. Suppose you have an url like this one : http://www.hotteenchick.com/free/tgp/melanie08/mel anie08.html,
    it doens't take long to figure out where the other pics are.

    1. Re:mandatory pr0n reference by Anonymous Coward · · Score: 5, Funny

      Am I the only one who tried this URL?

  5. There are technical solutions by toriver · · Score: 5, Insightful
    In my opinion, any HTTP GET request is exactly that, a request. "May I have that resource, Server Sir?". And if the server (which is the thingy that is responsible for allowing or refuseing the request) actually sent the requested resource/document back to the client, it has answered "Yes, you may" by responding with the resource.

    If the publishers of the resource wanted to limit access to the resource they could add authentication, referer checking, or a timestamp check - anything, really. Since they did not, I fail to see how they can have a case.

    "Security through obscurity", like having a non-linked but available resource, is self delusion.

    1. Re:There are technical solutions by D+iz+a+n+k+Meister · · Score: 5, Interesting

      The problem with "ah well, these guys were just poking around, the publishers should have used proper security" is that it raises the bar of what security is to what we experts think it ought to be. Many people don't have the capability to employ such measures, so we're denying them legal recourse.

      1. These people are experts.
      2. From a practical viewpoint, it should not have been on that server if it wasn't to be served. Anyone with sensitive data should at least be able to employ that measure.
      3. Why should they have legal recourse against typing things in the address bar of a browser?

      --

      He painted a unicorn in outer space. I'm askin' ya, what's it breathin'?
    2. Re:There are technical solutions by j7953 · · Score: 5, Insightful
      So if I add a login header, is that just another GET request? It's the difference between http://root:12345@www.0wn3d.com/ and http://www.0wn3d.com/.

      No. In that case, you're trying to circumvent (by having illegally obtained or by guessing the password) a security measure. (Also see below.)

      It would cause the same kind of division in society as if we had a law that said burglary doesn't count unless you have an expensive security system.

      No. There is a difference between trying to receive information (i.e. trying to have it delivered to me), and trying to actively enter someone else's property. The breaking-in analogy is fundamentally flawed, at least as long as we're not talking about trying to circumvent any security that is installed (e.g. trying to guess passwords -- that would be trying to actively enter).

      Also note that houses (and physical locations in general) usually make it quite obvious whether they're supposed to be public or private. All private houses, even if they have no locks or security systems, have an implicit security mechanism: doors. Even if they're unlocked, closed doors tell most people not to enter unless invited by someone opening the door, or by a sign that tells them it's public. Why do you think most stores have doors that allow you to look into the store, that have obvious "open" signs, and that sometimes even open for you automatically? It's a way of telling people that the door is, unlike most other doors, not intended to keep them out.

      URLs, however, are all designed the same way, there is no obvious difference between private and public resources. The only way to recognize them as private is to request them and see if a password request will show up. And experience suggests that most URLs are public.

      Making it potentially illegal to try an URL will get you into the same legal problems as trying to make a difference between precise links ("deep links") and generic links (links to front pages).

      Some of the questions you'd have to answer are:

      • If you have requested, by following a link, the resource /some/path/document, and get a 404 Page not Found error, is it legal for you to try accessing /some/path/ by changing the URL in your browser's URL field?
      • Is it legal to type some domain name into your browser, even if it is not published anywhere? (E.g. you're looking for Foo Corporation's web site and try www.foo.com.)
      • If you're currently reading /2001/some-report, and you think that the year 2002 record would be more interesting, would you not try to type /2002/some-report into your browser?
      • If you're reading a structured document, e.g. an online book or a howto article, and you're currently reading /3-1, and you realize you'd like to skip chapter three but the "Next" link points to /3-2, is it legal for you to type /4 into your browser?
      • If you follow a link and get a 404, and the URL looks like the webmaster simply made a typo, is trying to correct the URL illegal without permission?
      • If any of the above is illegal, but someone did it anyway and then published the URL on his web site, without telling how he found it, is it illegal to click? To copy and paste?

      I am a webmaster myself, and I do agree that there are some requests that are sent with obviously malicious intentions (e.g. requests for cmd.exe etc.). But I am also a web user, and I don't want browsing the web to become a legal risk simply because I know how URLs work and make use of that knowledge. Some web site operators seem to believe that simply because they intended their visitors to behave in a certain way, and didn't provide any means for the users to behave differently, that anything but what they expect you to do should be illegal.

      There is a difference between an author telling you that it makes sense to read chapter four of his book before reading chapter five, and an author trying to put you in jail for reading chapter five first anyway.

      --
      Sig (appended to the end of comments I post, 54 chars)
  6. if Intentia prevails, it would be very bad by g4dget · · Score: 5, Insightful
    Many people truncate URLs to avoid dealing with broken site navigation systems. Mozilla and Galeon even have an "up" button. Other pages may become unlinked but may still be linked from a log or search engine. Some files, like /robots.txt, are almost never linked to, yet everybody knows they are there. And more than once, I have mistyped a host name along with a URL and gotten a web page that looked not entirely public (logs, etc.).

    In some areas of law, it's unavoidable drawing fuzzy boundaries and considering intent. However, in this case, anybody who wants to protect their information on the web easily can, using standard web access control schemes; they don't need to rely on using obscure URLs. Let's not burden the courts with this.

    This is part of a more general and disturbing trend, where lazy system admins don't spend the time set up their systems correctly, or management hires incompetent and cheap staff, and then try to use the court system and police (i.e., taxpayer money) to make up for their own shortcomings.

  7. Confidence by Znork · · Score: 5, Funny

    "The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB."

    Um, yeah. If you cant tell the difference between 'storing confidential data in an access controlled place on your internal network' and 'storing confidential data on an open-for-all external site' it sure will damage my confidence in Intentia as a company. Incompetent is a fairly fitting description.

    1. Re:Confidence by trezor · · Score: 5, Funny

      From Intentia's homepage, as in -the- front page:

      • Our mission is to pursue the perfect partnership, providing security in our customers' transformation to collaborative business models.
      Did anyone say -security-? This is really hilariuos :)
      --
      Not Buzzword 2.0 compliant. Please speak english.
  8. Mantra by RAMMS+EIN · · Score: 5, Insightful

    Repeat after me:
    If you don't want people to read something, don't put it on the Internet.

    --
    Please correct me if I got my facts wrong.
  9. Re:Ridiculous! by Anonymous Coward · · Score: 5, Interesting

    Here in Denmark we have a similar (but more serious) case. A micro-payment system called Valus owned and developed by a Norwegian bank (Den Norske Bank) was "hacked" on its premiere day by typing in a simple URL with the command SHUTDOWN at the end. The link to do this was published on an online debate forum and several people tried the link (although it had a warning that you should not try it:-). The problem was missing input validation (maybe the most basic security issue). Until now five people have been taken to court - one of them being the "mastermind" who posted the link. As a reaction to this behaviour Valus has been reported to the state agency for protection of personal data (Datatilsynet) for not securing personal data.

  10. url's are like phone numbers by phr2 · · Score: 5, Insightful
    Deep linking has the same issue. URL's are like phone numbers.

    The company homepage, www.corp.com, is like the main switchboard number, say 555-1000.

    URL's reachable through the home page (www.corp.com/foo/bar) are like internal extensions you can find through the voice menu system (555-1357).

    The link with the earnings report is like an extension (555-2468) not on the voice menu, that came off somebody's business card or answering machine or some unknown channel.

    That's it. Reuters is being sued over something very much like calling an unlisted direct phone number inside some company. How they got the phone number is, well, irrelevant. They're a news organization, they have reporters, whose job is digging up info like phone numbers.

    Deep linking works the same way for anyone else too, of course. Like duh, if you don't want something to be reachable without going through the switchboard, don't give it a direct number exposed to the outside world.

  11. Look! A snake! by adolf · · Score: 5, Insightful

    Funny stuff, this.

    I'm going outside, right now, with copies of some of my own financial statements.

    I'm going to throw them onto the Main Street sidewalk, and stand just near enough to the pile that I can serve hastily-drawn lawsuit papers to anyone who dares to look.

    The documents are undeniably my property, after all. Nobody has the right to see them unless I erect a big fucking sign pointing them out, even if they are scattered about a public walkway.

    [Moral for the sarcasm-impaired: If you don't want your information to be public knowledge, now or ever, don't let it be publicly available. At all.]

    --
    Kid-proof tablet..
  12. A decent writeup, and an interesting question... by Thalia · · Score: 5, Informative
    Here is a decent writeup from The Register. The accusation is that "results could only be accessed via a 40 character ID code." Now whether this is an extended address, or a password is unclear. It also notes that there are a couple of other firms that have also accused Reuters of hacking into their systems to get early access to reports.

    Actually, this does raise an interesting question. If a page is put on the web that cannot be spidered, and cannot be reached from any publicly available page, can we assume that anyone who accesses that page has some sort of unauthorized information? I have never heard of hackers systematically trying IP addresses for content. And it is in fact likely that Reuters got the info from an employee... in violation of the employment agreement.

    This should be a fascinating case, and not nearly as easy as the writeup makes it seem.

    Thalia

  13. What the law says: by Albanach · · Score: 5, Interesting
    There's some discussionon the law - of course mainly American law which has little to do with whether it was legal or not where the crime actually happened.

    If they were to prosecute in the UK - I note Reuters replied to the allegations from their London HQ - here's what the law says:

    Computer Misuse Act (1990)
    Unauthorised access to computer material

    1.--(1) A person is guilty of an offence if--

    (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
    (b) the access he intends to secure is unauthorised; and
    (c) he knows at the time when he causes the computer to perform the function that that is the case.

    (2) The intent a person has to have to commit an offence under this section need not be directed at--

    (a) any particular program or data;
    (b) a program or data of any particular kind; or
    (c) a program or data held in any particular computer.

    (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

    So, it's quite straightforward really - if they can prove Reuters knew they weren't supposed to be looking at that material, then if the access was from the UK, a crime was committed.

    If Reuters can argue they didn't know the material was private, there is no case to answer.

    Going back to the points some others have made about the information being publicaly accessible with no .htaccess protection, clearly this doesn't matter. If, for example, you were to make a clcik through that had to be viewed before you could see any of the content that stated the information was confidential then someone not supposed to be viewing it would be committing a crime to do so.

  14. It is Lotus Domino... by Cpt_Corelli · · Score: 5, Informative



    Please note that they are using Lotus Domino as their web server. This means that there are no physical directories that you can chmod or "look into".

    The URL contains the Domino internal document ID (similar to a GUID) and I still can not understand how Reuters "guessed" that. Sounds to me like this is an internal leak...

    1. Re:It is Lotus Domino... by AlecC · · Score: 5, Insightful

      I went to their site, and I looked for the (now visible) results. The URL looked like this:

      http://www.intentia.com/w2000.nsf/(files)/Intent ia _02_Q3_us.pdf/$FILE/Intentia_02_Q3_us.pdf

      The previous quarters reports are also available under ...02_Q2_us.pdf and so on. This URL is a lot more than 40 characters, but it hardly takes a rocket scintist to guess where Q3 is going to be when you know where Q1 and Q2 are. You really cannot call such guesswork "hacking".

      --
      Consciousness is an illusion caused by an excess of self consciousness.
    2. Re:It is Lotus Domino... by MightyTribble · · Score: 5, Informative

      A few things about domino, from a sometimes-Domino admin:

      First, you can have *really awful* Domino URLs. this was not one of them - they took the time in their DB design to make it a nice, easy on the eyes address.

      Second, and more importantly, Domino makes Access Control trivial. It would have been the work of moments to make that db private. They didn't do that.

      Finally, Domino regularly indexes all public databases on a site. The search engine can also parse PDF files. This makes all public documents findable unless you take measures to prevent indexing. Given how these monkeys set up the rest of their site, I wouldn't be surprised if this PDF was findable via the websites' regular search feature.

      It looks like this company has *no clue* what they were doing, and is trying to blame someone else for it.

  15. Company philosophy by rovingeyes · · Score: 5, Funny
    From their website :

    Our vision is to become the leading global collaboration solutions vendor by supplying our customers with tomorrow's solutions today.

    Well as I see it Reuters only kept in line with their philosophy. So why are they pissed?

  16. The Web is not a magazine!! by Mnemia · · Score: 5, Insightful

    All these companies seem to think that the Web is like a magazine: their neat little layout is all anyone should be allowed to use. But they forget that the Web was intentially designed to facilitate deep linking and URL-typing for the purpose of transparent information exchange. They don't get to decide the layout and presentation of the data once they publish it so that it is accessible through an URL.

    There is nothing about implicit permission to view here. I assert that they are EXPLICITLY granting permission to any and all to view the document when they publish it via a non-password protected URL.

    That is the very foundation of the Web...without it we have interactive television.

  17. Re:Raises some interesting ideas by pubjames · · Score: 5, Insightful

    I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password....

    Dumbass:But your honor, that man has stolen a hundred dollars from me! I think I made a reasonable attempt to hide it by keeping it in an old shoe in a hedge at the local park. Who would think to look there? ...what do you mean I'm a dumbass?

  18. The best quote from Intentia's website by bobdotorg · · Score: 5, Insightful

    "The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.

    Yeah - no shit Sven, IT blunders with sensitive information tend to do that.

    But hey, just to make sure that everyone's confidence in your company is shattered, why don't you do the American thing and file a 'It can't possibly be my fault' lawsuit.

    --
    __ Someday, but not this morning, I'll finally learn to use the preview button.
  19. And in further news... by Fex303 · · Score: 5, Funny

    ...a script kiddie managed to hack into Hotmail's servers using a widely distributed hacking tool known as "Internet Explorer". The hacker typed the "URL" into the "Address Bar" and gained access to the site.

    From here, the hacker sent emails to a number of associates which read: "| 4m teh 1337 |-|aX0R!!!!!1 j00 4LL ArE Cr4P!!!"

    "Frankly, we're shocked," said one Hotmail employee. "Who would have thought that URL's would give access to sites on the interweb?" he continued before returning to his task of spamming Hotmail's users.

    The FBI are investigating the hacker, rumoured to be in junior high, as well as the distributor of the hacking software, a small company known as MicroSoft, already known for flouting the law. Updates as they come to hand.

  20. Google Take on Secret Servers by no+soup+for+you · · Score: 5, Informative

    It's probably too late for this to do any google, but here's google's take on Secret Websites and URL guessing (from their webmaster's FAQ)

    6. Googlebot is downloading information from our "secret" web server.

    It is almost impossible to keep a web server secret by not publishing any links to it. As soon as someone follows a link from your "secret" server to another web server, it is likely that your "secret" URL is in the referer tag, and it can be stored and possibly published by the other web server in its referer log. So, if there is a link to your "secret" web server or page on the web anywhere, it is likely that Googlebot and other "web crawlers" will find it.

    IMHO, If you put something out there, and don't restrict anyonymous access, the information is freely accessible. Access is implicitly given - you can restrict access, not grant it.
    --
    If you blog it...
  21. Guessing the results URL was easy by anser · · Score: 5, Interesting
    You can't go by what Intentia's website shows now, I suspect they changed their scheme (also known as 'locking the barn door after the barn burns down').

    If you do a Google search for intentia results, at least one early entry points to the Intentia 'press room' containing an earlier quarterly results announcement. The announcement page itself does have a 24 bit hex ID number in the URL (BA45EE etc) that would be hard to guess for a new quarter. But on the announcement page is this link:

    ::: read the full report
    Now the URL (which no longer works, natch) of the PDF file being linked to:
    http://www.intentia.com/w2000.nsf/(files)/Intentia _02_Q2_us.pdf/$FILE/Intentia_02_Q2_us.pdf
    is extremely easy to extrapolate to subsequent quarters. I have no doubt that's what Reuters did , for this company and many others with similarly easy naming schemes and early uploading schedules. And I have no doubt that other journalists pull the same trick. In this case, a company with results they'd rather nobody noticed has jumped at the opportunity to change the subject.