Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL

Soulskill posted more than 3 years ago | from the security-through-hurf-durf dept.

It's funny.  Laugh. 271

thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."

cancel ×

271 comments

Wouldn't it have been easier (1)

NotQuiteReal (608241) | more than 3 years ago | (#31245178)

To just Google what they wanted to know? Google even has a "url" specifier!

Re:Wouldn't it have been easier (3, Informative)

miggyb (1537903) | more than 3 years ago | (#31245244)

Google is already a dangerous [johnbokma.com] hacker [google.com] tool.

Re:Wouldn't it have been easier (1)

SatanClauz (741416) | more than 3 years ago | (#31245392)

I didn't see this personally, but the person that told me would not have known to make this up or do it on his own.

Picture this:

work laptop in work car
employee opens laptop to use it
employee happens to be down town in business areas
auto-connects to some strong wifi (this was a few years ago before things were pseudo-secure from the box)
accidentally opens the viewer for our in-house security cameras
camera software auto-scans for feeds
employee finds this hilarious and calls to tell about how he is looking at server rooms and hallways in some building

needless to say, that made my day.

Re:Wouldn't it have been easier (1, Insightful)

Anonymous Coward | more than 3 years ago | (#31245750)

Well, considering that he accessed an unknown wireless network and didn't have the laptop configured to VPN back to a trusted network, he was lucky that he just stumbled upon someone even less security-minded than himself.

Proper configuration is not to connect to unknown wireless networks and only configure WPA(2) protected networks. Autoconnecting to unsecured networks is just as stupid as offering them.

Re:Wouldn't it have been easier (1)

SatanClauz (741416) | more than 3 years ago | (#31246108)

Yes, it is bad to auto connect.

Things were different back-in-the-day, remember?

It is really sad to see things like this happen today.

fuckfuck (0, Offtopic)

fuckfuck69 (1752326) | more than 3 years ago | (#31245372)

Whenever I get a package of plain M&Ms, I make it my duty to continue the strength and robustness of the candy as a species. To this end, I hold M&M duels. Taking two candies between my thumb and forefinger, I apply pressure, squeezing them together until one of them breaks and splinters. That is the “loser,” and I eat the inferior one immediately. The winner gets to go another round. I have found that, in general, the brown and red M&Ms are tougher, and the newer blue ones are genetically inferior. I have hypothesized that the blue M&Ms as a race cannot survive long in the intense theater of competition that is the modern candy and snack-food world. Occasionally I will get a mutation, a candy that is misshapen, or pointier, or flatter than the rest. Almost invariably this proves to be a weakness, but on very rare occasions it gives the candy extra strength. In this way, the species continues to adapt to its environment. When I reach the end of the pack, I am left with one M&M, the strongest of the herd. Since it would make no sense to eat this one as well, I pack it neatly in an envelope and send it to M&M Mars, A Division of Mars, Inc., Hackettstown, NJ 17840-1503 U.S.A., along with a 3×5 card reading, “Please use this M&M for breeding purposes.” This week they wrote back to thank me, and sent me a coupon for a free 1/2 pound bag of plain M&Ms. I consider this “grant money.” I have set aside the weekend for a grand tournament. From a field of hundreds, we will discover the True Champion. There can be only one.

Re:fuckfuck (2, Funny)

WrongSizeGlass (838941) | more than 3 years ago | (#31245404)

Dude, way to ruin M&M's for me ... I don't ever want to think of M&M's breeding unless it's that hot one from the TV commercials.

Re:fuckfuck (2, Funny)

SatanClauz (741416) | more than 3 years ago | (#31245500)

okay

first, i'm not sure what this has to do with the post.

second, I do the EXACT same thing :)

that is all

Re:fuckfuck (4, Insightful)

Gerzel (240421) | more than 3 years ago | (#31245678)

But your method doesn't take into account the time it takes an M&M to rest and get into full fighting form between bouts. Thus if the first M&M you come across is the strongest it is still likely to lose simply because it has to face fresh competitor after competitor. Even your fingers raise the core temperature of the competitor high enough after a few bouts to induce softening leaving the M&M weaker against its rested cooler-cored foe.

Solution: Set up a randomized tournament system where you take two M&Ms at random from the rested pack, test them, and put the winner in a separate pile to rest until the pack is empty. Then repeat tournament again between the now rested victors of the first round. Repeat until there is only one.

Re:Wouldn't it have been easier (-1)

thsths (31372) | more than 3 years ago | (#31245762)

Sorry, but the submitter got at wrong. A secret URL is essentially a password - so attempting lots of funny URLs can be like trying lots of ssh logins. The problem here is that it was a weak password, not that they used a secret URL.

Of course there are perfectly good reasons not to rely on secret URLs. Google is one, log files and browser caches are another. But that is a technical issue, and it is not actually relevant here.

Re:Wouldn't it have been easier (5, Insightful)

SatanicPuppy (611928) | more than 3 years ago | (#31245974)

The problem with that analogy is that passwords are by default 2 factor authentication: you need a username and a password.

That's not really the case with a url. A better analogy would be walking around a building on a public street, and looking in windows. It's legal, but morally suspect.

Re:Wouldn't it have been easier (1, Insightful)

Anonymous Coward | more than 3 years ago | (#31246112)

A better analogy would be walking around a building on a public street, and looking in windows. It's legal, but morally suspect.

Unless you're a newspaper researching what your government is up to - in which case it's your job.

Re:Wouldn't it have been easier (1)

Linuxmonger (921470) | more than 3 years ago | (#31246214)

It was three factor, you needed to know the domain first, then the specific server, then the specific pathname on that domain/server. Kudos to the press for having the inside information on the first two, then the perseverance to discover the third.

Re:Wouldn't it have been easier (1)

Bengie (1121981) | more than 3 years ago | (#31246002)

A better analogy would be calling random phone numbers to see if you get any to ring. When you finally get a phone number to ring, it has a voice mail on it and doesn't even prompt for a password.

Re:Wouldn't it have been easier (5, Insightful)

GizmoToy (450886) | more than 3 years ago | (#31246068)

I wouldn't call putting something up on the internet, completely out in the open with no protection whatsoever, and then simply hoping no one will find it because you didn't announce its presence, "essentially a password".

If the internet is a forest and I protect my valuables by sitting them underneath a tree far from civilization and tell no one they're there, should I be mad if someone looking around the forest for valuables takes them all? No. Either you don't put your valuables in the forest or you put them in a big honking safe that no one can break into or walk off with.

Re:Wouldn't it have been easier (4, Insightful)

paiute (550198) | more than 3 years ago | (#31246074)

A secret URL is essentially a password

More like an unlisted phone number.

Was it... (5, Funny)

The Wild Norseman (1404891) | more than 3 years ago | (#31245196)

Re:Was it... (0)

Anonymous Coward | more than 3 years ago | (#31245278)

No, it was nswtransportblueprint.com.au. They didn't even have to do any guessing; they got a tip for what the URL of the web site was, and they went there. There were no secret URLs to go to, they just went to the web site, and printed everything they could navigate to.

Robots.txt (1, Funny)

sakdoctor (1087155) | more than 3 years ago | (#31245410)

User-agent: *
Disallow: /highly_confidential_documents/
Hack-delay: >9000

Re:Was it... (0)

Anonymous Coward | more than 3 years ago | (#31245790)

Don't you mean http://www.australia.gov.au/sheeps_backdoor [australia.gov.au] ?

Re:Was it... (2, Insightful)

Wowsers (1151731) | more than 3 years ago | (#31245794)

It wasn't even a back door, the front door was wide open!

Re:Was it... (3, Informative)

tomhudson (43916) | more than 3 years ago | (#31246072)

It was : http://nswtransportblueprint.com.au/project [nswtranspo...int.com.au]

And it's not open any more - nswtransportblueprint.com.au is now completely off-line.

So they went from Security through Obscurity to Streisand Effect to Slashdot Effect ... but now that their server has melted, at least nobody can "hack" it, so I guess they're happy campers.

Re:Was it... (1)

The Wild Norseman (1404891) | more than 3 years ago | (#31246106)

It wasn't even a back door, the front door was wide open!

How would you know... unless you WERE ONE OF THE HACKERS?!?!

Two Robots in Front of a Judge (5, Funny)

eldavojohn (898314) | more than 3 years ago | (#31245226)

NSW Lawyer: You allege that the Sydney Morning Herald sent repeatedly sent liscivious requests to you, is that correct?
NSW Server: *nods solemnly*
NSW Lawyer: I see ... and just exactly how many times were you violated?
NSW Server: *pauses and swallows loudly* Three ... three thousand seven hudred and twenty seven.
*crowd gasps*
NSW Lawyer: I see. Now, I know this is hard for you but could you please point to where, exactly, on this anatomically correct server doll the Sydney Morning Herald accessed you from.
NSW Server: *turns the server doll over and motions to the ports* Here on the back, in my ethernet port.
*sounds of disgust ripple through the crowd*
NSW Lawyer: And what did he say to you when this was happening?
NSW Server: GET.
NSW Lawyer: 'GET' what?
NSW Server: He just kept saying GET, GET, GET! GET this document. GET that document.
NSW Lawyer: And did you get it for him?
NSW Server: No it didn't exist! They just weren't there!
NSW Lawyer: And what did you say exactly!
NSW Server: 404! 404, goddammit, 404 ... *breaks down sobbing* I didn't know what he wanted from me until it was too late!!!
NSW Lawyer: There there. There there, it's okay. You're safe now. *turns to the judge* Can we let this sort of gross injustice go unpunished in today's society? How long before this happens to your server? Or ... your child's server?! Huh?
NSW Judge: *nods approvingly*
NSW Lawyer: I rest my case.

Re:Two Robots in Front of a Judge (1)

Chrisq (894406) | more than 3 years ago | (#31245382)

Just imagine how many "hits" they will be getting now they are on slashdot!They do seem to have removed their DNS records [nswtranspo...int.com.au] . Interestingly the domain belongs to [domaintools.com]

Domain Name: nswtransportblueprint.com.au

Registrant: BANG THE TABLE PTY LIMITED

Registrant Contact ID: R-000428733-SN
Registrant Contact Name: Karthik Reddy
Registrant Contact Email: Visit whois.ausregistry.com.au for Web based WhoIs

Name Server: ns10.dnsmadeeasy.com
Name Server: ns11.dnsmadeeasy.com

Re:Two Robots in Front of a Judge (1)

Talderas (1212466) | more than 3 years ago | (#31246018)

Bang the table?

Re:Two Robots in Front of a Judge (1, Funny)

Anonymous Coward | more than 3 years ago | (#31245386)

Yeah, exxxxxxxactttlllyyyyy [ytmnd.com]

Re:Two Robots in Front of a Judge (1)

SeeSp0tRun (1270464) | more than 3 years ago | (#31245578)

I want to mod this up again, too funny!

IANAL, but what happened is akin to entering without permission. It kind of gets fuzzy where it was made publicly available, but not publicly broadcast.

Re:Two Robots in Front of a Judge (3, Insightful)

kalirion (728907) | more than 3 years ago | (#31245878)

If you put a billboard in a back alley, is it "private look only" just because you don't advertise its existence with a billboard on a major highway?

Re:Two Robots in Front of a Judge (2)

elrous0 (869638) | more than 3 years ago | (#31245810)

As someone whose own server got rooted once, I sympathize.

Re:Two Robots in Front of a Judge (1)

dancingmilk (1005461) | more than 3 years ago | (#31245836)

This made my day, thank you.

Urgent notification to all: (5, Funny)

140Mandak262Jamuna (970587) | more than 3 years ago | (#31245246)

Dear NSW Transportation Dept Employee,

We have enhanced the security of our secret intranet site with immediate effect. The new enhanced security intranet site is SECRETnswtransportblueprint.com Please update your bookmarks. To allow our braindead minister who can not remember a password and is frightened when confronted with a login dialog to use the site, we have disabled the login requirements for all. So please keep the url confidential.

Signed

Assistant to the Minister D Umbi Diot

Deja vu again once more (2, Insightful)

Hognoxious (631665) | more than 3 years ago | (#31245252)

Wasn't there a story like this about ten years ago, but it was something concerning grades or test scores on a college website?

Re:Deja vu again once more (3, Funny)

Yvanhoe (564877) | more than 3 years ago | (#31245380)

Yeah, at this time we were supposing governments would be a bit more cautious than schools.

Re:Deja vu again once more (1)

i-like-burritos (1532531) | more than 3 years ago | (#31245514)

Heh, I've gotten the actual answers to a test that hadn't happened yet by guessing the URL.

Re:Deja vu again once more (1)

ottothecow (600101) | more than 3 years ago | (#31246216)

I've seen that work with solutions to homework...

However, I think the parent was referring to to the harvard admissions website (business school maybe?) where people could figure out if they got in early by playing with the URL. IIRC Harvard took the douche route and decided not to admit those who tried this. I would hope they eventually realized that when someone posts simple URL changing instructions to a business website, peoples curiosity will kick in...

Lock, what lock? (4, Insightful)

noidentity (188756) | more than 3 years ago | (#31245254)

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknobof an insecure office and make copies of highly confidential documents.'

There, fixed that for you, Mr. Minister.

Re:Lock, what lock? (0)

Anonymous Coward | more than 3 years ago | (#31245384)

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknobof an insecure office and make copies of highly confidential documents.'

There, fixed that for you, Mr. Minister.

Actually, it would be more something like this:

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknob of an insecure PUBLIC place and make copies of highly confidential documents.'

The webserver, by definition, is setup as a public place, anyone is welcome to come in and look around as long as they follow the instructions (permissions) set by the webserver. In reality this is much more like someone literally turning over leaves in the park outside of a museum under which just one special leaf the government kept their notepad of secrets.

Still not far enough. (5, Insightful)

zippthorne (748122) | more than 3 years ago | (#31245684)

More like,

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn their own head in a busy, public marketplace and look at a billboard.'

Don't want people reading your web site? Put it behind a login. Anything else is just sophistry to cover up incompetence. Web sites are advertisements first and foremost. The whole point is to make it possible for as many people as possible to read your thing. If you want to exclude certain people from being able to view it, then you shouldn't just put a billboard up where you think it's out of the way and hope nobody notices, you should put it behind a door which requires a key to get in.

Re:Still not far enough. (1)

EvanED (569694) | more than 3 years ago | (#31246060)

Don't want people reading your web site? Put it behind a login. Anything else is just sophistry to cover up incompetence.

While I do agree, and think that criminal investigations and such in this case are ludicrous and hope they don't go anywhere, part of me does wonder... what's the difference between a non-linked document where you don't tell people the URL and a site with a password?

Would guessing 3000 different passwords be as forgivable, even if the system doesn't cut you off? Is an easily-guessed URL any better than an easily-guessed password?

Re:Lock, what lock? (1)

Obyron (615547) | more than 3 years ago | (#31245416)

Even that doesn't work. At least in most of the US, you can still be considered "breaking and entering" even if the door is ajar, and you push it open. It's going into a place where you're not permitted for the purpose of committing a felony. The analogy here is more like being told there's a really juicy part in a book, so you flip through until you find the page. The author tries to sue you for circumventing his copyright protection, which was not putting a number on the page.

Re:Lock, what lock? (1)

zappepcs (820751) | more than 3 years ago | (#31245646)

Exactly, logic says if you don't want it read by the public, don't host it on a public webserver. There are plenty of analogies here, but you're right, there was no lock or even a partially closed door. This doesn't equate well to the physical world unless you want to say they were invited into the room with no door on it, a room filled with artworks, and under a few of the paintings is a small sign with fine print that says 'please don't look at this painting'. Some of us are getting used to standards in web design and may attempt a uri by guess in case that common page is already created to save looking for it. This is not uncommon, so the practice of typing in a uri rather than clicking on links is not a felonious adventure. If you've already seen the painting, the fine print on the little sign is not going to be sufficient security. If you're not sure what I mean, try http://microsoft.com/search [microsoft.com] or http://ibm.com/search [ibm.com] or http://any/ [any] website/search I'm only guessing, but I bet the search box would have found the documents for them also?

Re:Lock, what lock? (1)

kalirion (728907) | more than 3 years ago | (#31246016)

FTA:
- We got a tip on Friday that you could read the government's transport plan by accessing a website called, unsurprisingly, nswtransportblueprint.com.au.

- Even we did not need help to type in those letters. No password was requested or offered.

- Instead we were confronted with a dream menu for any reporter: rail services, cycleways, walking and cycling, bus services, paying and road network.

So the analogy here is being told there's a really juicy book in a library at this specific location, but the book not being in the library's online catalog. The book itself has a full table of contents.

Re:Lock, what lock? (5, Insightful)

RoFLKOPTr (1294290) | more than 3 years ago | (#31245430)

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknob of an insecure office and kindly accept the highly confidential documents that the receptionist hands to you.'

There, fixed that for you, Mr. Minister.

There, fixed that for you.

Re:Lock, what lock? (2, Insightful)

cowbutt (21077) | more than 3 years ago | (#31245690)

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to a single attempt to turn the doorknob of an insecure office and kindly accept the 3,727 highly confidential documents that the receptionist hands to you.'

There, fixed that for you, Mr. Minister.

There, fixed that for you.

Having RTFA, I fixed that for you. Doesn't look like there was any brute-forcing of the URL involved, just surfing around retrieving pages and images.

Re:Lock, what lock? (0)

Anonymous Coward | more than 3 years ago | (#31246080)

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to walking up to a person and kindly accepting the 3,727 highly confidential documents that he is waiting to hand to you.'

There, fixed that for you, Mr. Minister.

There, fixed that for you.

Having RTFA, I fixed that for you. Doesn't look like there was any brute-forcing of the URL involved, just surfing around retrieving pages and images.

Fixed that for you - there wasn't even a door.

Re:Lock, what lock? (0)

Anonymous Coward | more than 3 years ago | (#31245696)

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to read from the public facing outside of a government building wall highly confidential documents that have been taped up there by an idiot.'

There, fixed that for you, Mr. Minister.

There, fixed that for you.

Done and done

Re:Lock, what lock? (4, Insightful)

TexasTroy (1701144) | more than 3 years ago | (#31245504)

Incorrect. Burglary can still occur if you do not lock the door to your house. The problem here is that the govt posted material on something akin to an unfinished public street that is not (yet) on any my map and then complaining that someone drove onto it because they (the govt) didn't put up a sign/gate to keep people off of it.

Re:Lock, what lock? (1)

interkin3tic (1469267) | more than 3 years ago | (#31245546)

that this is 'akin to 3,727 attempts to turn the doorknob of an insecure office and make copies of highly confidential documents.

Makes you wonder if the reporter had typed in "http://nswtransportblueprint.com.au/project" on the first try instead of the 3,727th try, would the government have been okay with that? If a reporter were outside an unlocked government door, pawing it 3,727 times before successfully opening it, that would be pretty strange, but doesn't change anything.

Re:Lock, what lock? (1)

tomhudson (43916) | more than 3 years ago | (#31246212)

I RTFA, it was the first try. They were tipped off, entered this address: http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au] there was no login or any other user verification, so they then clicked on all the links, downloading each page as it was served to them.

In other words, (again I RTFA) the site was supposed to go public a few days later - they just got there early and scooped everyone else, being the evil ink-stained wretches that they are :-)

Re:Lock, what lock? (0, Redundant)

Saint Fnordius (456567) | more than 3 years ago | (#31245568)

To expand upon your metaphor...

Consider the "security" of the entry akin to having an unlocked door that is merely obscured by bushes painted to match the brickwork, and no pavement leading to it. There also was no one monitoring the traffic going in and out, so no one was there to notice the reporters making photographs until much later.

Security by obscurity at its finest.

Re:Lock, what lock? (2, Insightful)

elrous0 (869638) | more than 3 years ago | (#31245856)

Actually, it's more like "I hid the document in what I thought was a secret spot, in a public park. Someone discovered it there and started talking about it with their friends."

Reminds me of... (4, Interesting)

courteaudotbiz (1191083) | more than 3 years ago | (#31245270)

This reminds me of a case in Canada, where Passport Canada (the agency responsible for passport emission) was "hacked" by changing some numbers in the URL to get from one passport request details to the other, making very confidential information available to even the most basic hackers.

However, no one was accused here, except the developpers of the solutions who were blamed. Now, Passport Canada still processes online passport requests, but applicants are no more able to view the details and advancement of their application online.

Re:Reminds me of... (0)

Anonymous Coward | more than 3 years ago | (#31245676)

That was bad coding, this is bad policy. I can understand it though. I know of a few ol' timers who get livid when asked a site prompts them to log in. They honestly feel their time is so precious and they are so important that they shouldn't have to log in. And they're so stubborn, they absolutely will not log in to the site, even after you've told them the password (for the 100th time). They just refuse to use the site to prove their point (that they shouldn't need to log in).

Re:Reminds me of... (1)

girlintraining (1395911) | more than 3 years ago | (#31246260)

This reminds me of a case in Canada, where Passport Canada (the agency responsible for passport emission) was "hacked" by changing some numbers in the URL to get from one passport request details to the other, making very confidential information available to even the most basic hackers.

I still try that out of habit when I see a record ID encoded in the URL. Still works on a lot of websites... about 8% of the time, especially for smaller shops. I usually send them an e-mail and move on. There's too many to waste my time following up with each one...

Really? (4, Insightful)

Monkeedude1212 (1560403) | more than 3 years ago | (#31245276)

Are there no IT Pros that work for the government?

I read stories like this and I think "Theres no way they could be monitoring my traffic, they can't even set up basic login authentication for their websites"

Re:Really? (4, Funny)

WrongSizeGlass (838941) | more than 3 years ago | (#31245526)

Are there no IT Pros that work for the government?

Sadly, no ... they're all working for school districts in southern Pennsylvania.

Re:Really? (3, Informative)

digitalchinky (650880) | more than 3 years ago | (#31245666)

There are some terribly bright and technically minded people in government, particularly in the intelligence gathering fields (secret 3 letter agencies) - unfortunately they are not usually in positions of power or within ear shot of anyone that might easily comprehend what they are actually saying. I guess it's the same old problem everywhere - if 'Government' knew what they actually had behind their own closed doors, they'd be shocked, maybe even outraged :-)

I spent a lot of years working for the defence signals directorate (Same as the NSA's, different acronym) - safe to say that those up at the top take about 5 to 10 years to actually understand what their underlings have been saying for the aforementioned 5 to 10 years. Ops Normal.

The main problem is, as others have more eloquently said, right up at the top you get the boss saying "Just make it f'ing happen already" Be damned if they care about security. Thus the stunningly illogical knee jerk reaction to shut the barn door after the quadrupeds have already legged it, oh, and death sentences to the idiots that forged the door hinges, because we need to punish the wrong people in spectacular fashion to prove a point that nobody will ever understand.

Appraently, Yes. (1)

celtic_hackr (579828) | more than 3 years ago | (#31246168)

Someone has secured the site, or deleted it. The link no longer works, and here I was going to look for a robots.txt file. Rats! Foiled again!. Not even a login prompt. It may be:[Agent86 voice] "they used the old use the /. effect to bring the server crashing down and thereby securing it from all those pesky hackers" trick.[/Agent86 voice]

Curiously, they specifically make it sound like all 3,727 page hits were from the hacks at the Herald, but clearly state the "some of them" came from the Herald. So, what is the actual number from the Herald hacks? Hmmm... I'd buy that for a dollar!

I love the name of the web hosting outfit: (5, Insightful)

hey! (33014) | more than 3 years ago | (#31245290)

"Bang the Table".

Methinks we have found a new tag for articles about politicians who are bit by their own stupid security practices. Release Word file with revision history still in it? Bang the table. Secret government data stolen because of malware you downloaded from a porn site? Bang the table.

tubes from their door to my keyboard (1)

uncanny (954868) | more than 3 years ago | (#31245346)

Then dont put your UNLOCKED door in my house! This is the internets

Re:tubes from their door to my keyboard (1)

Frosty Piss (770223) | more than 3 years ago | (#31245436)

Then dont put your UNLOCKED door in my house! This is the internets

This argument is used all the time, but it really doesn't apply. Leaving your door unlocked is not consent, implied or otherwise, for anyone to waltz on in.

That doesn't justify morons running the site in question, but like many anecdotal arguments, it doesn't hold much water in the real world.

Re:tubes from their door to my keyboard (1)

ircmaxell (1117387) | more than 3 years ago | (#31245584)

This argument is used all the time, but it really doesn't apply. Leaving your door unlocked is not consent, implied or otherwise, for anyone to waltz on in.

True, but this was more akin to walking in to a library, and finding confidential documents in the general section right next to the Sunday newspaper (AKA, not behind any doors at all). All it took was knowing (or figuring out) where to look. There was no door here (if there was, it would have been in the form of a password or a DNS block (only allowing internal IP addresses), etc)...

Re:tubes from their door to my keyboard (4, Insightful)

Nadaka (224565) | more than 3 years ago | (#31245876)

How about a car analogy?

This isn't like breaking the window on a Civic and tearing out the stereo system that cost more than the car.

This isn't like opening the unlocked door on a Prius and and taking someones cd collection they left on the passenger seat.

This isn't like reaching through the open window of a hummer and snatching a stick of gum.

This is like getting on a public bus, and using your cell phone to snap pictures of the graffiti on the wall.

Re:tubes from their door to my keyboard (1)

Lumpy (12016) | more than 3 years ago | (#31246252)

Exactly and having a website on the internet is like not even having a door or even a house. It was all spread on the lawn for everyone to stop and see.

Question: (4, Interesting)

Pojut (1027544) | more than 3 years ago | (#31245376)

Is it even legally possible to bring up criminal charges, considering the URL was completely unsecured?

Re:Question: (1)

garcia (6573) | more than 3 years ago | (#31245542)

Bring up? Sure. Successfully prosecute? That's up for debate.

Re:Question: (3, Insightful)

OzPeter (195038) | more than 3 years ago | (#31245580)

Its always possible to bring up charges .. whether they are warranted or provable is a totally different thing

Answer: (1)

mea37 (1201159) | more than 3 years ago | (#31245692)

Why, yes, yes it is.

First of all, define "completely unsecured". I'm pretty sure I know your definition, and if I had to vote I'd support it; but I'm also pretty sure I know their definition and it has a frightening amount of support. They will argue, and the courts might accept, that the non-publication of the URL constitutes "security", or an expectation of privacy, or whatever terms they need to feel good about filing charges.

This is a matter of technical knowledge. To a person who only knows how to follow links, limiting circulation of links can seem like "security". You can point out that it's easy to learn the skills to circumvent that, but think how that looks to someone who isn't very computer literate. "Sure, you can learn how to get around it - just like a thief can learn how to bypass a typical 5-pin lock. The skill to bump a lock isn't very hard to learn either."

The point is, as long as the typical level of knowledge doesn't include ways to find a non-published URL, the perceived threat will be in those who have the knowledge - not in those whose idea of "security" allows that knowledge to be used. I've seen Fortune 500 companies ban dsektop search tools rather than tell their employees not to "hide" sensitive documents on unlocked directories of shared drives. You really think the courts and laws are so far ahead of that knowledge curve?

Ultimately what's missing is a universal legal standard that presumes information is public if it is deliberately placed on a web-accessible file system without at least a prescribed level of protection. How strong that prescribed level of protection should be is open to debate. I don't need fool-proof security on my house to charge you with trespassing - a closed door is more than enough.

The exact standard isn't important. What's important is, the standard should exist, should be universal, and should be known to all parties.

Re:Answer: (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#31246070)

the non-publication of the URL constitutes "security", or an expectation of privacy, or whatever terms they need to feel good about filing charges

That will be a scary day indeed.

All I will need to do is make a popular mis-spelling, claim my site was meant to be secured, and any and all visitors are intruders seeking to steal my private data, and then sue everyone listed in the logs.

slashhdot.org! Why they accessed my secret files!

Re:Answer: (1)

maxume (22995) | more than 3 years ago | (#31246144)

If we end up with a legal standard where making information available over http without authentication is considered anything other than intent to share the information, we have failed miserably.

Re:Question: (1)

digitalhermit (113459) | more than 3 years ago | (#31245952)

A couple years ago I was searching for the name of an old friend from college. I got a few Google hits for his full name and followed one of them. It led to a page on a radio station website that had lots of confidential information including birth date, email address, home address, business phone/address, salary, *and* password information. I alerted the radio station immediately. The first response from them was accusatory, asking what I was doing hacking their site. I sent back an email to the person who responded and to the addresses listed on their contact page detailing how I found the information.. Haven't heard back from them, but the page stayed up for over a week.

Re:I am not a lawyer (0)

Anonymous Coward | more than 3 years ago | (#31246158)

If I hide my wristwatch in a crowded shopping mall with the intent of retrieving it after lunch, and someone else finds and takes it, has that person stole my watch?

Yes.... (1)

MROD (101561) | more than 3 years ago | (#31246250)

Daniel Cuthbert, who "hacked" the DEC charity website by using '../' in the URL. Convicted 2005.

http://www.samizdata.net/blog/archives/008118.html

Bang the Table???? (2, Informative)

140Mandak262Jamuna (970587) | more than 3 years ago | (#31245408)

The article mentions the hosting company is called Bang the table. Where have I heard that before?

Yup, recently someone in pandasthumb.org quoted someone famous saying, "If the law is on your side, bang on the law, If facts are on your side, bang on the facts, if neither, bang on the table".

Why care about security when you can rule by fear? (1)

Suzuran (163234) | more than 3 years ago | (#31245426)

These reporters will learn not to meddle in government affairs when they're behind bars for the next 50+ years for computer offenses. Security is for chumps. Real security is sleeping well at night knowing that everyone else cowers in fear of your wrath. Not many reporters are willing to bet their lives on a story, and those that are willing will be made examples to the rest. Either the story dies or you do - Your choice!

More like "exceeding authorization" (1)

ub3r n3u7r4l1st (1388939) | more than 3 years ago | (#31245452)

There is no changes or password cracking involved. More like "accidentally" viewing a website that is not supposed to be public.

This reminds me of similar case of a story where an employee were able to look at files that he is not suppose to see with his account, thanks to a mistake by a sysadmin, and the boss accuse him of hacking.

'Trespassing' and 'Breaking and Entering' (1)

capitaladot (1132409) | more than 3 years ago | (#31245478)

We do a very poor job, globally, of distinguishing between electronic trespass and electronic breaking and entering. In the rush to criminalize computer use deigned anti-social, bedrock concepts such as the above were not well-translated to electronic paradigms. As such, bizarrely disproportionate legal sanctions are often applied to those convicted of these acts, and with little reason beyond knee-jerk technophobia.

As long as the URL is secret, it is an attack (0)

Anonymous Coward | more than 3 years ago | (#31245482)

There is no technical difference between a password in the URL and a password in the rest of the HTTP header. Neither is a particularly good access control, but as long as the URL is not easily derived from another URL or published in any way, they are actual access control methods. We don't use secret URLs because there are many ways a URL can easily leak and become public knowledge (e.g. through the HTTP Referer header). Secret URL components are however used frequently for session control when cookies are unavailable. Would you not consider using a leaked session-URL an attack?

Re:As long as the URL is secret, it is an attack (0)

Anonymous Coward | more than 3 years ago | (#31245820)

Thank you. Slashdot is truly full of stupid today...as it usually is.

Bad security != no security. I won't make tedious analogies, but suffice to say that unless the URL was linked from elsewhere (ie, Google-able), this does clearly constitute unauthorized access. Likewise, I can look at my server logs and give you plenty of URLs that, if used deliberately, are hacking attempts. Morally, effectively, attempting to brute force a private URL is no different than trolling for exploits. Which I hope we can all agree is plainly illegal, even if you're a DUR HUR DUMAS LOL WTF who forgot to update phpBB for the last five years.

Library analogy (4, Funny)

vlm (69642) | more than 3 years ago | (#31245490)

'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.'

Much more like checking 3727 shelves in the public library looking for a copy of "internet security for dummies"

The funny part is both sides are fairly non-technical, meaning some "journalist" probably typed in all 3727 URLs.

Re:Library analogy (1)

TheOutLiar (1337649) | more than 3 years ago | (#31245630)

Seems more akin to handing someone a keyring with 3,727 keys on it and asking them to open the door.

Re:Library analogy (1)

Mr Thinly Sliced (73041) | more than 3 years ago | (#31245650)

The funny part is both sides are fairly non-technical, meaning some "journalist" probably typed in all 3727 URLs.

You mean they didn't write a visual basic GUI to trace an IP address? [youtube.com] .

From the sounds of this story the Aussie Gov't hired the technical consultants from 24 as their sysadmin and security guy.

Re:Library analogy (3, Informative)

nedlohs (1335013) | more than 3 years ago | (#31245944)

Nothing like that at all.

They were told the url by someone.

They entered it into their browser and got a everyday normal web page.

They clicked on the menu items and printed out the pages.

No guessing involved. No typing (other than the initial url) involved.

The 3727 is probably the number of request logs on the web server from them, counting all the images/css/js/etc files to make it look larger.

If they were slightly technical they might have done:

wget -m http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au]

but that would be *more* typing...

Entropy (3, Interesting)

michaelmalak (91262) | more than 3 years ago | (#31245588)

Security by obscurity at its finest.

At what point does obscurity become security? 3,727 attempts corresponds to 12 bits of entropy. According to NIST [nist.gov] , that's the equivalent of a 5-character user-selected password. The same document stipulates a mere 10 bits of entropy for some applications.

Re:Entropy (1)

samkass (174571) | more than 3 years ago | (#31245792)

That's an interesting point. The same point could be made about other "mathematically" obscure things such as an IPv6 address. If all information was available online but some of it was password protected, what's the difference between guessing URLs and guessing passwords?

To answer my own question: the expectation of privacy. A password implies the expectation of privacy, while posting something that anyone can access with the right URL does not have the same implication to me.

Re:Entropy (2, Interesting)

SatanClauz (741416) | more than 3 years ago | (#31246196)

You answered michaelmalak's question at the same time!

Obscurity becomes security when you have no reason for expectation of privacy :)

Re:Entropy (1)

daremonai (859175) | more than 3 years ago | (#31246162)

The newspaper didn't do any guessing at all. They were told the site name, and went directly to it. The site had links to all sorts of transportation plans, which the guys at the paper accessed. That's where the 3,727 number comes from - just the number of URI accesses listed in the web server log, most likely by other people in addition to the newspaper.

Window analogy (3, Interesting)

realsilly (186931) | more than 3 years ago | (#31245620)

Just because a house has windows and they aren't covered by curtains does not mean that by looking through the window and reading an important document left near the window that you're aren't stealing info. An unlocked door also doesn't mean you have the right to open it either. Both are wrong.

Conversely, an unpublished website for a govt. agency... and they really thought that was secure? Buahhahhahhahhahha!

Re:Window analogy (3, Interesting)

Dunbal (464142) | more than 3 years ago | (#31245868)

An unlocked door also doesn't mean you have the right to open it either.

      However, leaving your "secret info" in a public place, like say, the MIDDLE OF THE STREET, does not entitle you to any form of protection.

      No door was opened. The internet by definition is PUBLIC. That is the PURPOSE of the internet. If you create a website and put information on it that requires no authentication or other sort of credentials to access it, you have placed said information in the PUBLIC. Otherwise all search engines are repeatedly "hacking" every single site on the web. You know that there's a file called robots.txt that you can use to limit access from spiders. And you know there's something called a "password" to protect sensitive information.

      Not only is it inexcusable that a public office would commit such an act of negligence as putting (presumably) sensitive information in a place where it can be accessed by anyone, they compound their ignorance by trying to go after people who stumble across it. There have been a lot of ridiculous things happening in Australia lately, but this one takes the cake.

Lowell Maximum Security Prison? (1)

LaminatorX (410794) | more than 3 years ago | (#31245652)

I'd like you to consider that web-address "off-limits," as a favor to me.

Bad Security Everywhere (0)

Anonymous Coward | more than 3 years ago | (#31245656)

I once worked for a 3rd Party Energy Marketer, ie they sell you Gas/Electric "supply" and you pay your local utility for "delivery". So in the company's quest to find "good" customers, I took the liberty of writing a small program that started with a base 15 digit number and just incremented the number by one each time and tried to login to the ConEd NY website with that account number. Once I found an account that I could login, I had the account holder's name, address, payment history and usage history and could discover if it was an account worth our enrollment department contacting to try to sign up or if we should flag their account number as a "never sign this person up, ever" account. ConEd tracked down the IP/source of the millions of requests and asked us politely to stop, but the hole still exists ~5 years later and if I had some more free time, I'd continue to use my little program and run a junk mail campaign on my spare time. I don't know what this has to do with the story other than that I bet just changing query string parameters and seeing what happens is probably the easiest, most common "attack", even by people who don't mean to be attacking.

A more correct simile (0)

Anonymous Coward | more than 3 years ago | (#31245732)

'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.'

A more correct simile would be like driving around to the addresses of 3,727 public parks until they find the one that contains documents.

Redefinition (0)

Anonymous Coward | more than 3 years ago | (#31245816)

No matter what the vendor/contractor/"expert" told you, an unanounced valid URL is NOT a firewall.

Hey AU gov't (0)

Arancaytar (966377) | more than 3 years ago | (#31245842)

No, it's not. It's more like calling 3727 telephone numbers until you find one that is connected.

Proposal for Australia (5, Funny)

elrous0 (869638) | more than 3 years ago | (#31245980)

Considering all the anti-internet, anti-gaming, anti-pron laws and sentiment that seems to have become so pervasive in Australia recently (much to the delight of /. editors, who have had no shortage of great front page stories from there recently) I propose that Australia must, to protect its citizens from the immoral influence of the internet, REMOVE ITSELF FROM THE INTERNET IMMEDIATELY. It's the only way to be sure.

Latvia too (1)

atisss (1661313) | more than 3 years ago | (#31246038)

Our local media is full of news regarding Gov't Tax office, it has been hacked by just incrementing id's in URL (without any authorization), so total of 7 million declarations have been downloaded. Attacker is publishing downloaded data on Goverment owned institutions, revealing income of most-paid employees. http://latviantelecoms.blogspot.com/2010/02/cyberactivists-obtain-latvian-state.html [blogspot.com]

Media like this never prosecuted (2, Insightful)

DVD9 (1751726) | more than 3 years ago | (#31246164)

If an unemployed blogger had done this he would get many years in prison (perhaps, I'm American so maybe this does not apply in Australia). Not only that, but the "newspaper" involved here would pay no attention to the blogger's rights and report the story the way the government prosecutors wished it to be written. The editor of this paper is laughing about the "controversy" and enjoying the attention as he is part of the club who run the country.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...