Slashdot Mirror
Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL
thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."
Google is already a dangerous hacker tool.
This signature serves no purpose other than to help you see which posts were made by me.
There are some terribly bright and technically minded people in government, particularly in the intelligence gathering fields (secret 3 letter agencies) - unfortunately they are not usually in positions of power or within ear shot of anyone that might easily comprehend what they are actually saying. I guess it's the same old problem everywhere - if 'Government' knew what they actually had behind their own closed doors, they'd be shocked, maybe even outraged :-)
I spent a lot of years working for the defence signals directorate (Same as the NSA's, different acronym) - safe to say that those up at the top take about 5 to 10 years to actually understand what their underlings have been saying for the aforementioned 5 to 10 years. Ops Normal.
The main problem is, as others have more eloquently said, right up at the top you get the boss saying "Just make it f'ing happen already" Be damned if they care about security. Thus the stunningly illogical knee jerk reaction to shut the barn door after the quadrupeds have already legged it, oh, and death sentences to the idiots that forged the door hinges, because we need to punish the wrong people in spectacular fashion to prove a point that nobody will ever understand.
Nothing like that at all.
They were told the url by someone.
They entered it into their browser and got a everyday normal web page.
They clicked on the menu items and printed out the pages.
No guessing involved. No typing (other than the initial url) involved.
The 3727 is probably the number of request logs on the web server from them, counting all the images/css/js/etc files to make it look larger.
If they were slightly technical they might have done:
wget -m http://nswtransportblueprint.com.au/
but that would be *more* typing...
And it's not open any more - nswtransportblueprint.com.au is now completely off-line.
So they went from Security through Obscurity to Streisand Effect to Slashdot Effect ... but now that their server has melted, at least nobody can "hack" it, so I guess they're happy campers.
Sorry, but the submitter got at wrong.
No, you did.
A secret URL is essentially a password
Wrong. There is no such thing as a 'secret' URL. This was an unpublished URL, which is not the same thing as a secret.
A secret is something that everybody involved knows not to divulge. A HTTP URL is transmitted in plaintext, URLs are stored in plaintext in your browser's history, they are sent as a referrer when you click on a link in a page or when you load an external element, they are stored in plaintext in your server's logs - they are the exact opposite of secret.
They were given this url http://nswtransportblueprint.com.au/
They went there.
They hit Print
They followed the pretty linkies
They hit Print some more
They wrote a story about it.
No password dialog. No secret subdomain. No secret subdirectory. No login required. No user session or password. No .hosts entry. How is that "hacking"?
There was no guesswork involved, so there was zero bits of entropy in this example, unless they were drunk at the time and had to retype it, in which case it's their own entropy pool, not the servers' /dev/urandom, that is being probed.