Slashdot Mirror

← Back to Stories (view on slashdot.org)

Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL

Posted by Soulskill on from the security-through-hurf-durf dept.

thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."

14 of 271 comments (clear)

  1. Lock, what lock? by noidentity · · Score: 4, Insightful

    The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknobof an insecure office and make copies of highly confidential documents.'

    There, fixed that for you, Mr. Minister.

    1. Re:Lock, what lock? by RoFLKOPTr · · Score: 5, Insightful

      The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknob of an insecure office and kindly accept the highly confidential documents that the receptionist hands to you.'

      There, fixed that for you, Mr. Minister.

      There, fixed that for you.

    2. Re:Lock, what lock? by TexasTroy · · Score: 4, Insightful

      Incorrect. Burglary can still occur if you do not lock the door to your house. The problem here is that the govt posted material on something akin to an unfinished public street that is not (yet) on any my map and then complaining that someone drove onto it because they (the govt) didn't put up a sign/gate to keep people off of it.

  2. Really? by Monkeedude1212 · · Score: 4, Insightful

    Are there no IT Pros that work for the government?

    I read stories like this and I think "Theres no way they could be monitoring my traffic, they can't even set up basic login authentication for their websites"

  3. I love the name of the web hosting outfit: by hey! · · Score: 5, Insightful

    "Bang the Table".

    Methinks we have found a new tag for articles about politicians who are bit by their own stupid security practices. Release Word file with revision history still in it? Bang the table. Secret government data stolen because of malware you downloaded from a porn site? Bang the table.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  4. Re:Question: by OzPeter · · Score: 3, Insightful

    Its always possible to bring up charges .. whether they are warranted or provable is a totally different thing

    --
    I am Slashdot. Are you Slashdot as well?
  5. Re:fuckfuck by Gerzel · · Score: 4, Insightful

    But your method doesn't take into account the time it takes an M&M to rest and get into full fighting form between bouts. Thus if the first M&M you come across is the strongest it is still likely to lose simply because it has to face fresh competitor after competitor. Even your fingers raise the core temperature of the competitor high enough after a few bouts to induce softening leaving the M&M weaker against its rested cooler-cored foe.

    Solution: Set up a randomized tournament system where you take two M&Ms at random from the rested pack, test them, and put the winner in a separate pile to rest until the pack is empty. Then repeat tournament again between the now rested victors of the first round. Repeat until there is only one.

  6. Still not far enough. by zippthorne · · Score: 5, Insightful
    More like,

    The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn their own head in a busy, public marketplace and look at a billboard.'

    Don't want people reading your web site? Put it behind a login. Anything else is just sophistry to cover up incompetence. Web sites are advertisements first and foremost. The whole point is to make it possible for as many people as possible to read your thing. If you want to exclude certain people from being able to view it, then you shouldn't just put a billboard up where you think it's out of the way and hope nobody notices, you should put it behind a door which requires a key to get in.

    --
    Can you be Even More Awesome?!
  7. Re:tubes from their door to my keyboard by Nadaka · · Score: 4, Insightful

    How about a car analogy?

    This isn't like breaking the window on a Civic and tearing out the stereo system that cost more than the car.

    This isn't like opening the unlocked door on a Prius and and taking someones cd collection they left on the passenger seat.

    This isn't like reaching through the open window of a hummer and snatching a stick of gum.

    This is like getting on a public bus, and using your cell phone to snap pictures of the graffiti on the wall.

  8. Re:Two Robots in Front of a Judge by kalirion · · Score: 3, Insightful

    If you put a billboard in a back alley, is it "private look only" just because you don't advertise its existence with a billboard on a major highway?

  9. Re:Wouldn't it have been easier by SatanicPuppy · · Score: 5, Insightful

    The problem with that analogy is that passwords are by default 2 factor authentication: you need a username and a password.

    That's not really the case with a url. A better analogy would be walking around a building on a public street, and looking in windows. It's legal, but morally suspect.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  10. Re:Wouldn't it have been easier by GizmoToy · · Score: 5, Insightful

    I wouldn't call putting something up on the internet, completely out in the open with no protection whatsoever, and then simply hoping no one will find it because you didn't announce its presence, "essentially a password".

    If the internet is a forest and I protect my valuables by sitting them underneath a tree far from civilization and tell no one they're there, should I be mad if someone looking around the forest for valuables takes them all? No. Either you don't put your valuables in the forest or you put them in a big honking safe that no one can break into or walk off with.

  11. Re:Wouldn't it have been easier by paiute · · Score: 4, Insightful

    A secret URL is essentially a password

    More like an unlisted phone number.

    --
    If Slashdot were chemistry it would look like this:Cadaverine
  12. Re:Two Robots in Front of a Judge by HungryHobo · · Score: 5, Insightful

    It's like getting an unlisted telephone number and using your secret plans as your answering machine message.
    Nothing like entering without permission.