Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL

thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."

Reminds me of...

[courteaudotbiz]

This reminds me of a case in Canada, where Passport Canada (the agency responsible for passport emission) was "hacked" by changing some numbers in the URL to get from one passport request details to the other, making very confidential information available to even the most basic hackers.

However, no one was accused here, except the developpers of the solutions who were blamed. Now, Passport Canada still processes online passport requests, but applicants are no more able to view the details and advancement of their application online.

Question:

[Pojut]

Is it even legally possible to bring up criminal charges, considering the URL was completely unsecured?

Entropy

[michaelmalak]

Security by obscurity at its finest.

At what point does obscurity become security? 3,727 attempts corresponds to 12 bits of entropy. According to NIST, that's the equivalent of a 5-character user-selected password. The same document stipulates a mere 10 bits of entropy for some applications.

Re:Entropy

[SatanClauz]

You answered michaelmalak's question at the same time!

Obscurity becomes security when you have no reason for expectation of privacy :)

Window analogy

[realsilly]

Just because a house has windows and they aren't covered by curtains does not mean that by looking through the window and reading an important document left near the window that you're aren't stealing info. An unlocked door also doesn't mean you have the right to open it either. Both are wrong.

Conversely, an unpublished website for a govt. agency... and they really thought that was secure? Buahhahhahhahhahha!

Re:Window analogy

[Dunbal]

An unlocked door also doesn't mean you have the right to open it either.

      However, leaving your "secret info" in a public place, like say, the MIDDLE OF THE STREET, does not entitle you to any form of protection.

      No door was opened. The internet by definition is PUBLIC. That is the PURPOSE of the internet. If you create a website and put information on it that requires no authentication or other sort of credentials to access it, you have placed said information in the PUBLIC. Otherwise all search engines are repeatedly "hacking" every single site on the web. You know that there's a file called robots.txt that you can use to limit access from spiders. And you know there's something called a "password" to protect sensitive information.

      Not only is it inexcusable that a public office would commit such an act of negligence as putting (presumably) sensitive information in a place where it can be accessed by anyone, they compound their ignorance by trying to go after people who stumble across it. There have been a lot of ridiculous things happening in Australia lately, but this one takes the cake.

Re:Library analogy

[tomhudson]

No, the url was "published" in the legal sense - they were given it by someone.

No hacking involved.

They weren't the only ones to whom the url was "published", since several others also were grabbing the files at the same time. And the way they grabbed the files? Clicked on the menu and followed the links, then "Print".

The url in question? http://nswtransportblueprint.com.au/

No secret directories, no login required, no hidden subdomain, no .hosts file to exclude them, nothing. It was supposed to be a public website - it just went "public" a week early.

Re:Deja vu again once more

[dlgeek]

Yes it was Harvard Business School (and Stanford and somewhere else that I don't remember) and they denied admissions to the students who did it. A year or two later, Cornell had the same issue with their undergrad early admits (you could log in and then change the url from something like /profile.cfm to /decision.cfm). They posted a statement saying "A group of students at (some discussion forum) figured out blah. These students could not access any information other than their own, no privacy was breached and no action will be taken against the students." I checked out the forum, and one of the students posted an email where he had asked the admissions people if it was accurate and they wrote back and said something on the order of "Yes it was, but you weren't supposed to see it. Congratulations and welcome to Cornell."

Much more reasonable than Harvard and the others.

No analogy needed

[TWX]

There's no need for analogies for what the government did. They flatly [i]published[/i] something, didn't bother to tell anyone they published it or where they published it, and got mad when someone found their published work, read it, and presumably reported what they read and helped others to find that publication. I've always looked at posting to a website as publishing in the loosest of senses. It's certainly vanity publishing in the vast, vast majority of cases, but the entire point of putting something on to the Internet without any sort of real security is so that people can find it. If a person or organization doesn't want something read potentially by all, they simply have to not upload it to a public server.