Slashdot Mirror
Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL
thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."
http://www.australia.gov.au/backdoor ?
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
NSW Lawyer: You allege that the Sydney Morning Herald sent repeatedly sent liscivious requests to you, is that correct? ... and just exactly how many times were you violated? ... three thousand seven hudred and twenty seven. ... *breaks down sobbing* I didn't know what he wanted from me until it was too late!!! ... your child's server?! Huh?
NSW Server: *nods solemnly*
NSW Lawyer: I see
NSW Server: *pauses and swallows loudly* Three
*crowd gasps*
NSW Lawyer: I see. Now, I know this is hard for you but could you please point to where, exactly, on this anatomically correct server doll the Sydney Morning Herald accessed you from.
NSW Server: *turns the server doll over and motions to the ports* Here on the back, in my ethernet port.
*sounds of disgust ripple through the crowd*
NSW Lawyer: And what did he say to you when this was happening?
NSW Server: GET.
NSW Lawyer: 'GET' what?
NSW Server: He just kept saying GET, GET, GET! GET this document. GET that document.
NSW Lawyer: And did you get it for him?
NSW Server: No it didn't exist! They just weren't there!
NSW Lawyer: And what did you say exactly!
NSW Server: 404! 404, goddammit, 404
NSW Lawyer: There there. There there, it's okay. You're safe now. *turns to the judge* Can we let this sort of gross injustice go unpunished in today's society? How long before this happens to your server? Or
NSW Judge: *nods approvingly*
NSW Lawyer: I rest my case.
My work here is dung.
Google is already a dangerous hacker tool.
This signature serves no purpose other than to help you see which posts were made by me.
We have enhanced the security of our secret intranet site with immediate effect. The new enhanced security intranet site is SECRETnswtransportblueprint.com Please update your bookmarks. To allow our braindead minister who can not remember a password and is frightened when confronted with a login dialog to use the site, we have disabled the login requirements for all. So please keep the url confidential.
Signed
Assistant to the Minister D Umbi Diot
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Wasn't there a story like this about ten years ago, but it was something concerning grades or test scores on a college website?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
There, fixed that for you, Mr. Minister.
This reminds me of a case in Canada, where Passport Canada (the agency responsible for passport emission) was "hacked" by changing some numbers in the URL to get from one passport request details to the other, making very confidential information available to even the most basic hackers.
However, no one was accused here, except the developpers of the solutions who were blamed. Now, Passport Canada still processes online passport requests, but applicants are no more able to view the details and advancement of their application online.
Are there no IT Pros that work for the government?
I read stories like this and I think "Theres no way they could be monitoring my traffic, they can't even set up basic login authentication for their websites"
"Bang the Table".
Methinks we have found a new tag for articles about politicians who are bit by their own stupid security practices. Release Word file with revision history still in it? Bang the table. Secret government data stolen because of malware you downloaded from a porn site? Bang the table.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Is it even legally possible to bring up criminal charges, considering the URL was completely unsecured?
Living With a Nerd
Dude, way to ruin M&M's for me ... I don't ever want to think of M&M's breeding unless it's that hot one from the TV commercials.
Yup, recently someone in pandasthumb.org quoted someone famous saying, "If the law is on your side, bang on the law, If facts are on your side, bang on the facts, if neither, bang on the table".
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.'
Much more like checking 3727 shelves in the public library looking for a copy of "internet security for dummies"
The funny part is both sides are fairly non-technical, meaning some "journalist" probably typed in all 3727 URLs.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
first, i'm not sure what this has to do with the post.
second, I do the EXACT same thing :)
that is all
At what point does obscurity become security? 3,727 attempts corresponds to 12 bits of entropy. According to NIST, that's the equivalent of a 5-character user-selected password. The same document stipulates a mere 10 bits of entropy for some applications.
Just because a house has windows and they aren't covered by curtains does not mean that by looking through the window and reading an important document left near the window that you're aren't stealing info. An unlocked door also doesn't mean you have the right to open it either. Both are wrong.
Conversely, an unpublished website for a govt. agency... and they really thought that was secure? Buahhahhahhahhahha!
Life takes interesting turns, but the most interest is when you're off the beaten path.
But your method doesn't take into account the time it takes an M&M to rest and get into full fighting form between bouts. Thus if the first M&M you come across is the strongest it is still likely to lose simply because it has to face fresh competitor after competitor. Even your fingers raise the core temperature of the competitor high enough after a few bouts to induce softening leaving the M&M weaker against its rested cooler-cored foe.
Solution: Set up a randomized tournament system where you take two M&Ms at random from the rested pack, test them, and put the winner in a separate pile to rest until the pack is empty. Then repeat tournament again between the now rested victors of the first round. Repeat until there is only one.
The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn their own head in a busy, public marketplace and look at a billboard.'
Don't want people reading your web site? Put it behind a login. Anything else is just sophistry to cover up incompetence. Web sites are advertisements first and foremost. The whole point is to make it possible for as many people as possible to read your thing. If you want to exclude certain people from being able to view it, then you shouldn't just put a billboard up where you think it's out of the way and hope nobody notices, you should put it behind a door which requires a key to get in.
Can you be Even More Awesome?!
How about a car analogy?
This isn't like breaking the window on a Civic and tearing out the stereo system that cost more than the car.
This isn't like opening the unlocked door on a Prius and and taking someones cd collection they left on the passenger seat.
This isn't like reaching through the open window of a hummer and snatching a stick of gum.
This is like getting on a public bus, and using your cell phone to snap pictures of the graffiti on the wall.
The problem with that analogy is that passwords are by default 2 factor authentication: you need a username and a password.
That's not really the case with a url. A better analogy would be walking around a building on a public street, and looking in windows. It's legal, but morally suspect.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Considering all the anti-internet, anti-gaming, anti-pron laws and sentiment that seems to have become so pervasive in Australia recently (much to the delight of /. editors, who have had no shortage of great front page stories from there recently) I propose that Australia must, to protect its citizens from the immoral influence of the internet, REMOVE ITSELF FROM THE INTERNET IMMEDIATELY. It's the only way to be sure.
SJW: Someone who has run out of real oppression, and has to fake it.
I wouldn't call putting something up on the internet, completely out in the open with no protection whatsoever, and then simply hoping no one will find it because you didn't announce its presence, "essentially a password".
If the internet is a forest and I protect my valuables by sitting them underneath a tree far from civilization and tell no one they're there, should I be mad if someone looking around the forest for valuables takes them all? No. Either you don't put your valuables in the forest or you put them in a big honking safe that no one can break into or walk off with.
A secret URL is essentially a password
More like an unlisted phone number.
If Slashdot were chemistry it would look like this:Cadaverine
If an unemployed blogger had done this he would get many years in prison (perhaps, I'm American so maybe this does not apply in Australia). Not only that, but the "newspaper" involved here would pay no attention to the blogger's rights and report the story the way the government prosecutors wished it to be written. The editor of this paper is laughing about the "controversy" and enjoying the attention as he is part of the club who run the country.
Why do "Al Qaeda" bulletins allegedly authored by Osama Bin Laden sound as if they were authored by Oliver North?
Sorry, but your argument fails almost immediately.
The url had already been "published" in the legal sense - as soon as someone leaked it to the reporters. There was no guesswork here. The reporters are part of the general public, and the disclosing of the url, without a prior agreement to keep it confidential, meets the legal definition of "to publish", same as a defamation suit only needs the words to be "published" to any 3rd party, not the entire population.
Sorry, but the submitter got at wrong.
No, you did.
A secret URL is essentially a password
Wrong. There is no such thing as a 'secret' URL. This was an unpublished URL, which is not the same thing as a secret.
A secret is something that everybody involved knows not to divulge. A HTTP URL is transmitted in plaintext, URLs are stored in plaintext in your browser's history, they are sent as a referrer when you click on a link in a page or when you load an external element, they are stored in plaintext in your server's logs - they are the exact opposite of secret.
There's no need for analogies for what the government did. They flatly [i]published[/i] something, didn't bother to tell anyone they published it or where they published it, and got mad when someone found their published work, read it, and presumably reported what they read and helped others to find that publication. I've always looked at posting to a website as publishing in the loosest of senses. It's certainly vanity publishing in the vast, vast majority of cases, but the entire point of putting something on to the Internet without any sort of real security is so that people can find it. If a person or organization doesn't want something read potentially by all, they simply have to not upload it to a public server.
Do not look into laser with remaining eye.
You are sooo full of crap. Instead of reading the comments and telling me to RTFA, go RTFA yourself, like I did. They didn't have to guess a url. They were given the base url, and that was ALL that anyone needed to get access to every other page, same as http://slashdot.org/ gives you access to this sites contents. Don't you know how the web works yet?
I noticed a few people reacting to the 3,727, as if it was some sort of brute-force attack to get a URL.
If that was 3,727 requests to the http server, I think that wouldn't be very much. That is, reading a web page with graphical elements would, I would think, involve a dozen or so http requests -- more if there were lots of little icons and what not. Two journalists looking at a dozen such web pages a few times each would run up that number pretty quickly. (Can someone with more networking experience than I have check my thinking?)
And, of course, a decent firewall logs all requests, including legitimate requests.
So, I would guess that this is just the politician grabbing a number that sounds large to him, and ascribing significance it doesn't have.
In nearly every home in the US, let alone the world, the doorways are locked with $5 pieces of tin and maybe a tiny bolt of metal shoved through some wood. There is little challenge to defeat these locks, either through picking or just jostling the door open or breaking the jamb. Furthermore, it's often the case that the doors are not locked at all, or perhaps a window is left open, or unlocked, and it's just assumed that since it's a second story window, that nobody would try it.
So many of these homes are invade by thieves. And yet, there is no question that those invading were violating a law.
If you enter a public place, rules tend to change. Despite the doors not being locked, I can walk into a grocery store and not feel like I've trespassed because it's a business and that's expected. However, I've often seen unmarked doors in dark corners of large stores, or even doors marked "Employee Only" or maybe an unlabeled staircase leading to who-knows-where. I know I'm not welcome in those areas, and if I entered one and was subsequently accosted for it, should I be shocked?
Now we start talking about computers, and their presence on public networks. To me this is some kind of bizarre combination of the two previous physical scenarios. The computers themselves are viewed as having the privacy rights of the house, where-as their offering and the environment in which they make the offer is more like the store, or even another unmentioned public situation: A public park. So how do we come to the conclusions we make? Why is "security by obscurity" not enough to justify criminal charges to those who would violate it?
Or, if you see things the other way, then I ask why you think that the public accessing a publicly offered machine is somehow unlawful, even if they are walking through those otherwise unmarked doors or looking for out-of-the way staircases?
Just because a person doesn't break a lock to get into a home doesn't mean it's not breaking and entering, and just because a door at a store is unmarked doesn't mean the person's trying to break the law either. In the internet, your computer is knowingly placed in the public arena with open attempts at making it easy for the public to find and access, yet somehow accessing an unadvertised part of that computer is a violation?
I don't think the answers are clear but I do think some of the associated assumptions on both sides are questionable. It's interesting to thing about at least. Who has the responsibility here, is it the site admin's responsibility to batten down every hatch or is it reasonable to expect people not to snoop around? You tell me...
I read the script, and I think it would help my character's motivation if he was on fire. -Bender