Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Reuters Accused Of Hacking For Typing In URL

timothy posted more than 11 years ago | from the permission-granted-or-denied dept.

The Courts 569

Aexia writes "Intentia International, a company in Sweden, is suing Reuters for publishing an earnings report posted on their website prior to its official release. The catch? The report couldn't be accessed through 'normal channels', you had to know, or guess, what address to type in order to retrieve it. The precedent this case sets will be interesting. If you don't use a hyperlink on a website, are you committing a crime? You can also read Intentia's take on the situation."

cancel ×

569 comments

Sorry! There are no comments related to the filter you selected.

Related: what about referer logs (5, Interesting)

jukal (523582) | more than 11 years ago | (#4554264)

What if you get the link for the yet unpublic page from the referrer logs of your own site, for example www.reuters.com -logs. Would using that information be criminal?

Here's [slashdot.org] a related thread from yesterday.

Re:Related: what about referer logs (5, Interesting)

technix4beos (471838) | more than 11 years ago | (#4554289)

If their webserver is attached to the internet in any way, then anything it is "serving" is fair game, and should thus be protected appropriately.

This story sounds like someone got careless, and didn't lock down the folder the data lived in.

Sounds also like someone (their admin?) is trying to cover up the error by reporting to his (clueless?) bosses that obviously it was hacked, else how could they -ever- get that information, right? (yeah, right.)

Perhaps the admin should check out this handy url and order his copy soon.

http://www.amazon.com/exec/obidos/tg/detail/-/18 61 007221/qid=1035883929/sr=8-2/ref=sr_8_2/104-261132 8-8021524?v=glance&n=507846

I know I did, and it's invaluable.

Re:Related: what about referer logs (2, Informative)

TuringTest (533084) | more than 11 years ago | (#4554379)

Actually the correct link is this one [amazon.com] .

Re:Related: what about referer logs (0, Interesting)

Anonymous Coward | more than 11 years ago | (#4554304)

You think that's a rethoric question, but it isn't: What about the http://www.someforum.com/?user=JohnDoe&pass=5f3H26 referer in your logs? Is that still just a "hidden" address and are you allowed to access that page?

What's in an URL? (1)

TheMidget (512188) | more than 11 years ago | (#4554385)

Hey, and what if you had the following link on your page instead?
http://www.someforum.com/?user=JohnDoe&pass='%2Bus ers.password%2B'
Would that be hacking?

Re:What's in an URL? (0)

Anonymous Coward | more than 11 years ago | (#4554419)

If this were to be considered hacking, then it would be the publisher of that link who is doing the hacking, not the one who clicks on it. The key idea is that many actions can be either lawful or unlawful and the distinction lies only in the intention. If you see a link which is obviously a login, your intention most likely isn't to "see where he came from" but to look at a hardly secured but still obviously non-public webpage.

Stating the obvious (5, Insightful)

Bartmoss (16109) | more than 11 years ago | (#4554269)

It could have easily been protected by .htaccess or whatever. So, they have no case. Let's hope Reuters won't budge, and the judge will have a clue.

True dat (1)

D+iz+a+n+k+Meister (609493) | more than 11 years ago | (#4554291)

How could it possibly be considered private if it was accessable by url?

As the parent pointed out, it could have been protected by .htaccess -- or -- it could have been placed somewhere other than on a "production" server.

Re:Stating the obvious (2, Interesting)

Boing (111813) | more than 11 years ago | (#4554349)

It could have easily been protected by .htaccess or whatever. So, they have no case.

A store can easily be protected by purchasing video cameras. That doesn't make it legal to burglarize a store that just uses lock-and-key.

Just because their attempt at security left a lot to be desired doesn't mean they have no case. Any website could "easily" be protected by some level of security, but having a lesser level of security doesn't absolve attackers.

Note that I am not arguing that Intentia has any legal ground. I'm just noting that your argument has nothing to do with the true legality of Reuters' actions.

Re:Stating the obvious (5, Insightful)

MalleusEBHC (597600) | more than 11 years ago | (#4554364)

A store can easily be protected by purchasing video cameras. That doesn't make it legal to burglarize a store that just uses lock-and-key.

The problem with your analogy is that they didn't even use a lock and key. Their doors were open for business and now they are getting mad that someone came in before they could put up the big neon "OPEN" sign.

Re:Stating the obvious (1)

bluFox (612877) | more than 11 years ago | (#4554359)

Ahlerup said that if authorities deem that Reuters retrieved the information from a public part of the Web site, it could set an important precedent, making anything on a company's Web server public information, he said.


Looks like he is trying to save his own skin - may be from his boss who probably doesn't have a clue

Online or not. (2, Interesting)

dda (527064) | more than 11 years ago | (#4554270)

I think that by definition : online measn available, and not linked. If it has to be sanctionned because it was online, then yes, they must be guilty.

Re:Online or not. (1)

rovingeyes (575063) | more than 11 years ago | (#4554439)

If it has to be sanctionned because it was online, then yes, they must be guilty.

Who gets to decide whether the stuff that is online is to be sanctioned? In this case, obviously the company which put it in the first place. In this instance I don't think there was any warning signs, disclaimers or those annoying alerts warning about the consequences if they view the page before the report is official.

What I don't understand is that why is this company pissed. It's like putting cheese cake outside (unattended) and expecting others not to touch it! Well though it might not sound ethical but again it is not like stealing either.

reuters and routers (0, Redundant)

joe_bruin (266648) | more than 11 years ago | (#4554271)

no no, you say it "router" ('rau-t&r).

nick nack paddy whack (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4554273)

WHo cares?

Give a dog a bone... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4554292)

I do

Oh, great! (2, Funny)

Troy H Parker (600654) | more than 11 years ago | (#4554276)

Are we going to get "internet traffic tickets" now, instead of a 404 error?

Ridiculous! (2, Funny)

ChristW (18232) | more than 11 years ago | (#4554278)

Oh wow! Deep-linking outlawed, URL-typing outlawed! How long until hyperlinking itself is outlawed? Oh wait, I should ask BT that, since they own the patent on hyperlinking...

Besides, isn't 'regulating access to private information on a public website' what httaccess was for?

Re:Ridiculous! (5, Interesting)

Anonymous Coward | more than 11 years ago | (#4554317)

Here in Denmark we have a similar (but more serious) case. A micro-payment system called Valus owned and developed by a Norwegian bank (Den Norske Bank) was "hacked" on its premiere day by typing in a simple URL with the command SHUTDOWN at the end. The link to do this was published on an online debate forum and several people tried the link (although it had a warning that you should not try it:-). The problem was missing input validation (maybe the most basic security issue). Until now five people have been taken to court - one of them being the "mastermind" who posted the link. As a reaction to this behaviour Valus has been reported to the state agency for protection of personal data (Datatilsynet) for not securing personal data.

Insecure or Unsecure or something... (1)

failrate (583914) | more than 11 years ago | (#4554280)

Yeah, if they didn't have crypto on it, then Reuters didn't hack anything. The beef of this whole thing is that the company was tanking, anyway, and I betcha they're using this whole stupid thing as some kind of scapegoat or smokescreen.

Stupidity (5, Insightful)

e8johan (605347) | more than 11 years ago | (#4554281)

Quotes are from Intentia's press release concerning the investigation.

"Reuters News Agency Broke into Intentia's IT Systems"

I would not call it breaking in to surf on someones homesite.

"there was an unauthorized entry via an IP-address belonging to Reuters"

What do they mean, do I have to call them and ask for permission before accessing files publically available on their homesite?

As Reuters didn't steal anything, but simply pointed at on open window (that they found) I would have to say that their act was not illegal. What they should investigate is their internal safety policies, because they need a revision or two (IMHO).

Re:Stupidity (0)

Anonymous Coward | more than 11 years ago | (#4554390)

IMHO, I think Intentia's security methods were security through obscurity - posting pre-release material onto the server and hoping no one would find it. This is a really bad way of doing things because it doesn't work. I've lost count of the number of articles I've seen on here that say "See pictures of the new ABC from XYZ! Update: the pages have been removed but there's a mirror here..."

I mean, only a moron would put something they didn't want anyone to see on a web server, right?

Re:Stupidity (4, Insightful)

Jezza (39441) | more than 11 years ago | (#4554426)

Well yeah that's right, if you don't protect the information (and "not making the URL public" isn't protection) then you have to realise that people can look. I can't see what they're expecting to gain by this. All they have done is make the information MORE visible and highlight that they have NO CLUE.

Once this information was in the puiblic domain then I think their best policy would have been to do nothing, perhaps just issue the information with the best spin they could.

Taking them to court seems like a REALLY BAD idea.

Silly (2, Insightful)

Anonymous Coward | more than 11 years ago | (#4554284)

The whole purpose of an internet server is make information available to the public. there are specific provisions for restricted documents and Inertia's ignorance of those provisions is not the responsibility of the people who visit their site.

Nothing to do with links. (4, Insightful)

tunah (530328) | more than 11 years ago | (#4554285)

If you don't use a hyperlink on a website, are you committing a crime?

It's not about the existence (or not) of the link, but the source of the URL. While I don't agree with it, I think what they are saying is that if a site doesn't publish a URL (usually through a link, but could be in print, etc) it is not public information and accessing it is unauthorised access. This is the same attitude (if not specific issue) that has a problem with deep-linking [slashdot.org] too.

that's cold man. (2, Insightful)

xirtam_work (560625) | more than 11 years ago | (#4554287)

anybody who strays from the 'garden path' of links provided shouldn't be deemed a criminal.

However, it depends upon what you do with this so-called unpublished material.

What Reuters did exposed the company to a situation before they were ready. Seems to me like the company should have taken more adequate security such as using htaccess passwords, etc.

I court I hope Reuters don't get busted for accessing the information, but for publishing details about it. After all I'm sure that the company in question had a copyright notice on all their pages, right?

Re:that's cold man. (4, Insightful)

dipipanone (570849) | more than 11 years ago | (#4554362)

What Reuters did exposed the company to a situation before they were ready.

Which is precisely what you'd expect them to do, Reuters being a press agency and all.

I court I hope Reuters don't get busted for accessing the information, but for publishing details about it.

Damn straight. If it weren't for those goddamned financial journalists, I bet Enron would still be trading today. The freedom of the press has got no business interfering with our right to earn a dishonest dollar.

After all I'm sure that the company in question had a copyright notice on all their pages, right?

So what? Do you really believe Reuters breached their copyright in the report?

Get a jar of glue, man.

Re:that's cold man. (1)

jhunsake (81920) | more than 11 years ago | (#4554455)

Reuters published a summary of the report, not the report itself, so no breach of their copyright was carried out.

Re:that's cold man. (2)

Mr_Dyqik (156524) | more than 11 years ago | (#4554403)

As I see it the material was published.

When the server responded to the http request, it served the document, thereby publishing it.

Or if you look at it another way, someone copied the document to a folder on the server that could be accesed by the public. This act may also be regarded as publishing.

The complaint seems to be the equivalent to a book publisher complaining that a book store sold a copy of a new book to someone who came in and asked for it, before the publisher started the marketing campaign.

mandatory pr0n reference (5, Funny)

stud9920 (236753) | more than 11 years ago | (#4554288)

Well I do it all the time when browsing pr0n. Suppose you have an url like this one : http://www.hotteenchick.com/free/tgp/melanie08/mel anie08.html,
it doens't take long to figure out where the other pics are.

Re:mandatory pr0n reference (5, Funny)

Anonymous Coward | more than 11 years ago | (#4554384)

Am I the only one who tried this URL?

Re:mandatory pr0n reference (0)

Anonymous Coward | more than 11 years ago | (#4554444)

The anal shot was not for public consumption, you crook.

There are technical solutions (5, Insightful)

toriver (11308) | more than 11 years ago | (#4554290)

In my opinion, any HTTP GET request is exactly that, a request. "May I have that resource, Server Sir?". And if the server (which is the thingy that is responsible for allowing or refuseing the request) actually sent the requested resource/document back to the client, it has answered "Yes, you may" by responding with the resource.

If the publishers of the resource wanted to limit access to the resource they could add authentication, referer checking, or a timestamp check - anything, really. Since they did not, I fail to see how they can have a case.

"Security through obscurity", like having a non-linked but available resource, is self delusion.

Mod parent up (1, Insightful)

JanusFury (452699) | more than 11 years ago | (#4554329)

A very intelligent point. They didn't hack anything, they asked for the document, and the server gave it. They have absolutely no case.

Re:Mod parent up (1)

grahamm (8844) | more than 11 years ago | (#4554405)

True, but will the courts see it that way?

Re:There are technical solutions (1)

sverrehu (22545) | more than 11 years ago | (#4554345)

How about this one, then:

http://www.example.com/foo.asp?id=1;DELETE+FROM+St uff

It's just a GET request, but if the site suffers from SQL Injection problems, which many sites do, stuff may be deleted from the database.

Re:There are technical solutions (2)

toriver (11308) | more than 11 years ago | (#4554400)

Well, it's a request that ends up having side-effects due to lack of security in the server's implementation. Intentional or not - foo.asp could just as well had an explicit, random DELETE for a request it saw, would the page author, engine writer or the client user be responsible?

(I would still claim that a request for a file cannot be compared to a malicious attempt at exploiting a known server-side bug.)

Re:There are technical solutions (1)

frp001 (227227) | more than 11 years ago | (#4554401)

It is probably important to differentiate, the action from the intent of the action:
In the case you state there is definitely intention of destroying
In Reuters case they were just requesting information. (with the intent of publishing it, but that's what they get paid for)
I would say one is wrong the other isn't.
Anyway in Intentia situation, this would be like if you got sued for viewing and publishing hidden easter eggs on software...

Re:There are technical solutions (2)

Tony-A (29931) | more than 11 years ago | (#4554416)

It's just a GET request, but if the site suffers from SQL Injection problems, which many sites do, stuff may be deleted from the database.

If you think hackers are a problem, imagine that coming accidentally into an inhouse system where it can really do some damage. Me, I think I'm liking the hackers. They may be a bit embarrasing, they try to do it with minimal real damage.

but are there tech solutions for a meme? (1)

SgtChaireBourne (457691) | more than 11 years ago | (#4554394)

"Security through obscurity", like having a non-linked but available resource, is self delusion.
Yes, but a lot of Swedish businesses have the Microsoft virus among their management. Security through obscurity is just one of the symptoms. Most technology issues are still off the radar except as buzzwords or the occasional expensive, proprietary "IT-Solution/Thneed" sold by the progeny of old college buddies. Swedish reporters found that most businesses don't (can't?) respond to e-mail. So I'd speculate that "IT" expditures are more a status symbol than a tool.

The "80's" hit Sweden in the 90's.

Re:There are technical solutions (4, Insightful)

sco08y (615665) | more than 11 years ago | (#4554417)

"Security through obscurity", like having a non-linked but available resource, is self delusion.

That's one of those mantras that get repeated until people believe they're true.

Fact is, all security is obscurity. Security rests on the notion of a shared secret. Some key that both you and the other guy know.

In my opinion, any HTTP GET request is exactly that, a request. "May I have that resource, Server Sir?".

So if I add a login header, is that just another GET request? It's the difference between http://root:12345@www.0wn3d.com/ and http://www.0wn3d.com/.

Or what if I add an obscure folder name to the URL like sf908h234ff98hs9f?

You might argue that the actual crime was in obtaining the password, and I agree that (for example) fraudulently claiming to be an employee (psychological hacking) is criminal, but it's a seperate offense.

That's why breaking into someone's house is "breaking & entry." Even if you don't have to break in, entering is still criminal.

The problem with "ah well, these guys were just poking around, the publishers should have used proper security" is that it raises the bar of what security is to what we experts think it ought to be. Many people don't have the capability to employ such measures, so we're denying them legal recourse.

It would cause the same kind of division in society as if we had a law that said burglary doesn't count unless you have an expensive security system.

Re:There are technical solutions (5, Interesting)

D+iz+a+n+k+Meister (609493) | more than 11 years ago | (#4554460)

The problem with "ah well, these guys were just poking around, the publishers should have used proper security" is that it raises the bar of what security is to what we experts think it ought to be. Many people don't have the capability to employ such measures, so we're denying them legal recourse.

1. These people are experts.
2. From a practical viewpoint, it should not have been on that server if it wasn't to be served. Anyone with sensitive data should at least be able to employ that measure.
3. Why should they have legal recourse against typing things in the address bar of a browser?

Hacking? (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4554293)

That would imply the firm took some sort of measure that was circumvented. Last I heard you did not NEED to post anything (for storage purposes) to a website...doing so makes them accessible. Also, you can set permissions for your webserver/directories, so I do not see why they are making a fuss. Maybe they should have secured the page-or better yet, not put it on the server until it was ready. Smart webmasters/admins have already dealt with this (Ex: PHP Nuke will not let you access a module("section") outside of the script. Isn't there something called .htaccess?

Bah

As the adage goes (1)

sarcast (515179) | more than 11 years ago | (#4554294)

How many times have we heard this:

"Anything you put up on the internet is there forever."

I don't understand why a company would put sensitive financial reports on their web server and then complain when someone finds them there with an easily guessable name no less.

While Reuters should have had a bit more discression seeing as how they are supposed to be an international news organization, I can't say that I feel sorry for this company if they did something that dumb.

Re:As the adage goes (2, Insightful)

trezor (555230) | more than 11 years ago | (#4554358)

In the news-business it's allways about speed. Beeing the first one bringing the news. Getting authorised the rights to publish something thats allready on the web would seem like a waste of time in any case in this business.

If I found a page on the net, which seemed relevant to my news-page, I'd link it and not check if it's ok. It's allready on the web, right?

And anyone clueless enough to put sensitive documents accessable to the public should suffer the consequences. Maybe he'll learn.

Exactly (1)

D+iz+a+n+k+Meister (609493) | more than 11 years ago | (#4554414)

I don't stand in front of the window facing the street with the curtains open, beating my meat when I don't want to be seen jerking off.

Well, except when, uh, you know. . .

if Intentia prevails, it would be very bad (5, Insightful)

g4dget (579145) | more than 11 years ago | (#4554307)

Many people truncate URLs to avoid dealing with broken site navigation systems. Mozilla and Galeon even have an "up" button. Other pages may become unlinked but may still be linked from a log or search engine. Some files, like /robots.txt, are almost never linked to, yet everybody knows they are there. And more than once, I have mistyped a host name along with a URL and gotten a web page that looked not entirely public (logs, etc.).

In some areas of law, it's unavoidable drawing fuzzy boundaries and considering intent. However, in this case, anybody who wants to protect their information on the web easily can, using standard web access control schemes; they don't need to rely on using obscure URLs. Let's not burden the courts with this.

This is part of a more general and disturbing trend, where lazy system admins don't spend the time set up their systems correctly, or management hires incompetent and cheap staff, and then try to use the court system and police (i.e., taxpayer money) to make up for their own shortcomings.

Re:if Intentia prevails, it would be very bad (2)

squaretorus (459130) | more than 11 years ago | (#4554361)

The Up button point is an interesting one. If guessing a URL is to be seen as a criminal act these had better disappear, or check against the engines to find if its in the public domain yet before allowing it. Nonsense!

The whole point here is that many people set up important web sites as though they contained nothing more important than pics of their girlfriend on the beach. When someone stumbles across that document showing the REAL balance sheet the board go ape shit and try to sue someone.

Confidence (5, Funny)

Znork (31774) | more than 11 years ago | (#4554308)

"The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB."

Um, yeah. If you cant tell the difference between 'storing confidential data in an access controlled place on your internal network' and 'storing confidential data on an open-for-all external site' it sure will damage my confidence in Intentia as a company. Incompetent is a fairly fitting description.

Re:Confidence (5, Funny)

trezor (555230) | more than 11 years ago | (#4554391)

From Intentia's homepage [intentia.com] , as in -the- front page:

  • Our mission is to pursue the perfect partnership, providing security in our customers' transformation to collaborative business models.
Did anyone say -security-? This is really hilariuos :)

This should be a good lesson to companies. (1)

Jeriki (563090) | more than 11 years ago | (#4554309)

Don't ever put anything on a publicly accessable webserver unless you want it to be seen. Of course I doubt they'll learn...

From Intentia's Website. . . (1)

D+iz+a+n+k+Meister (609493) | more than 11 years ago | (#4554310)

"The incident has severely damaged confidence in us as individuals and in Intentia as a company"

Well I should hope so. A business that writes software so business can collaborate should know how to run a webserver.

They screwed up and blaims Reuters. (2)

miffo.swe (547642) | more than 11 years ago | (#4554311)

The one person that put the document on a public webserver is the one who's to blame. No matter how they toss and turn it it was accessible without any access restrictions from the web. Nothing was hacked and no password guessed.

I relly hope that the court handling this case will understand how a webserver functions. In that case its all clear whos to blame.

Mantra (5, Insightful)

RAMMS+EIN (578166) | more than 11 years ago | (#4554314)

Repeat after me:
If you don't want people to read something, don't put it on the Internet.

Let's hope this falls flat on it's face... (2, Interesting)

grahamtriggs (572707) | more than 11 years ago | (#4554315)


Let's think about this for a minute... if I remember the URL that was used to access a particular resource, and just type it in again at a later date (or even just recall a stored bookmark), am I hacking the site, just because the link I used originally may not exist any more?

Hell, if I just type a domain name into the browser, am I considered to be hacking the site (because it may not be indexed by the search engines yet, etc.)?

The internet is a 'public' network... (in terms of ability to access resources, not necessarily in the ownership of the material found there)...

It is easy enough to 'secure' data (at least in a trivial sense), and the responsibility has to be on the 'publisher' to make a reasonable attempt to protect data that they do not wish to be generally available... not linking to a resource does not constitute a reasonable attempt.

Raises some interesting ideas (3, Interesting)

Stubtify (610318) | more than 11 years ago | (#4554316)

While this seems absurd on the surface, I could see a judgement going either way, for mainly two reasons.

First, Reuters' position would probably be that the data was on a public network which was in plain view as long as the url is typed in. I myself do this all the time, why go to www.microsoft.com, click once on support, then click on download when I know the url I want is www.microsoft.com/download. It saves time and trouble. However their "accidental" stumbling upon of this data, which is far more important than anything I'd ever likely find on accident would most likely not fall into the same category. IANAL, but at the same time I would argue that anything they don't want leaked shouldn't be put online anyway, and espically without any security.

However, I can see Intentia International's point of view. What's to stop someone from simply hitting their webserver with every alpha-numeric combination possible. They'll eventually come across the correct one for some piece of information which had gone previously undiscovered because it was to be placed up at a time which was decided by Intentia or any other company for that matter. I could see a moldy old judge siding with them, saying that using "www.intentia.com/~a2eslcf/info/docs/hidden883/fin ancial reports.html" for example would constitute an attempt at placing some level of security on the data for the time being, almost a password. And, scarily enough if they showed a direct relationship between all pages not yet linked and their corresponding URL perhalps a big fat DMCA case might come about if Reuters or someone figured that "~a2eslcf" meant "third quarter" in some sorry 2 bit encryption.

of course not (2, Insightful)

ferrocene (203243) | more than 11 years ago | (#4554319)

It's not hard to crawl a website, such as search engines do all the time. Yet I bet they're not going to sue google which undoubtedly had a cache of the site before it went public (robots allowed, of course).

And if your server is set to list directories, then it's already "serving" away all of it's pretty little files without much prodding (funny, how a server...serves...files).

http://www.intentia.com/w2000.nsf/pages/PR_5BBD3 A

" The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters. The entry took place at 12:51 pm on October 24th 2002, prior to the publication of the interim report for the third quarter of 2002. At approximately 12:57 pm, Reuters published the first news flash giving information on Intentia's third quarter result, without prior confirmation from the Company..."The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.

"We question the methods used by Reuters, and our judgement is that we cannot rule out the possibility of illegal actions. As a consequence we will file criminal charges regarding the incident," says Björn Algkvist.

"We will disclose to the Stockholm Stock Exchange all technical details on how the intrusion was made, which will allow them to share this information with other listed companies, so that actions preventing similar events in the future can be made," concludes Björn Algkvist. "

Tip for the Swedes over there at Intentia International:
"chmod --help" -or-
"mv --help"

If an unauthorized page isn't met with a 404 or 403, you did somehting wrong.

url's are like phone numbers (5, Insightful)

phr2 (545169) | more than 11 years ago | (#4554323)

Deep linking has the same issue. URL's are like phone numbers.

The company homepage, www.corp.com, is like the main switchboard number, say 555-1000.

URL's reachable through the home page (www.corp.com/foo/bar) are like internal extensions you can find through the voice menu system (555-1357).

The link with the earnings report is like an extension (555-2468) not on the voice menu, that came off somebody's business card or answering machine or some unknown channel.

That's it. Reuters is being sued over something very much like calling an unlisted direct phone number inside some company. How they got the phone number is, well, irrelevant. They're a news organization, they have reporters, whose job is digging up info like phone numbers.

Deep linking works the same way for anyone else too, of course. Like duh, if you don't want something to be reachable without going through the switchboard, don't give it a direct number exposed to the outside world.

Definition... and metaphorical example... (3, Insightful)

httpamphibio.us (579491) | more than 11 years ago | (#4554324)

It depends on how you define hacking... if they had no inside information about the URL, then yeah, guessing the URL would be a type of hacking but, I don't believe, one that could be punishable by law. For example, if I put an object I own in a public place... say, some place where the object is hidden but could be found if somebody was looking for it. Then a couple days later it's gone... is that theft? Sure, but, again, I don't think it can be punished. One of those "you should have known better," examples.

Re:Definition... and metaphorical example... (2, Interesting)

Ripplet (591094) | more than 11 years ago | (#4554378)

Sure it can be punished, if:
1. You can find the person who now has the object.
2. You can prove that particular object is yours.
That's theft alright. Coupla big 'if's though.

But if you leave some secret object in a public place, and someone takes a photo of it and publishes it, but leaves the object there, can you punish them for that? Ridiculous right?

So I'm allowed to guess www.intentia.com, but I'm not allowed to guess www.intentia.com/topsecret.html?
Ridiculous again.

Case dismissed.

Re:Definition... and metaphorical example... (1)

upside (574799) | more than 11 years ago | (#4554422)

And if it's www.intentia.com/cgi-bin/topsecret.cgi?password=12 3&user=abc&session=111 they might have a case.

WTF (2, Interesting)

aristoidaneel (308018) | more than 11 years ago | (#4554327)

If you transmit something via RF, anyone can listen to it. It doesn't matter the content. If you don't take precautions to restrict access to information, then you might as well be giving it away. It doesn't matter that the Police don't want me listening to their transmissions, they don't encrypt them, or protect them, so they are mine for the taking; weather or not the freq is listed (although it almost always is listed here in the US). URLs like frequencies are just way of addressing specific data. (from the human point of view...)

Pass the buck... (1)

inimcus (554859) | more than 11 years ago | (#4554328)

It looks to me like they are trying to stretch the law to make up for bad server administration. I say if it served up by your server, it is fair game. Putting something on your machine that can be served on request makes it public domain.

It's a bit /.'ed, here's the text (3, Funny)

SexyKellyOsbourne (606860) | more than 11 years ago | (#4554330)

Stockholm, Sweden -Intentia International (publ.) announces the results of its internal investigation launched due to circumstances around the fact that Reuters published Intentia's fourth quarter results for 2002 prior to the scheduled publication on October 24th. "The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.

The investigation has shown that there was an unauthorized entry via an IP-address belonging to Reuters using an exploit in the web server. The entry took place at 11:51 pm on October 24th 2002, prior to the publication of the interim report for the fourth quarter of 2002. At approximately 12:57 pm, Reuters published the first news flash giving information on Intentia's third quarter result, without prior confirmation from the Company. Intentia issued its earnings report ahead of schedule at 1:22 pm that same day. "The incident has severely damaged confidence in us as individuals and in Intentia as a company, and has cost millions of dollars worth of damages" says Björn Flänsost, CEO of Intentia International AB.

"We question the methods used by Reuters, and our judgement is that we have been the target of illegal actions. As a consequence we will file criminal charges regarding the incident, and will seek the maximum penalties for all those involved" says Björn Flänsost.

On Thursday, Intentia contacted the Stockholm Stock Exchange regarding an internal investigation of the incident. "We will disclose to the Stockholm Stock Exchange all technical details on how the intrusion was made, which will allow them to share this information with other listed companies, so that actions preventing similar events in the future can be made," concludes Björn Flänsost.

Re:It's a bit /.'ed, here's the text (0)

Anonymous Coward | more than 11 years ago | (#4554424)

Björn Flänsost?

I think someone has done some hacking himself,
considering what flänsost is slang for in Swedish..
(don't ask..)

Not everyone in the world is a /.'er (4, Interesting)

MalleusEBHC (597600) | more than 11 years ago | (#4554333)

"The investigation has been detailed and has included all relevant staff and processes that handle confidential information, as well as technical security," said Thomas Ahlerup, Head of Corporate and Investor relations of Intentia International AB.

While most everyone here will agree that Reuters at worst could have their actions describe as exploiting Intentia's utter stupidity, quotes like this show how little some people know about computers. This guy obviously thinks that just because they didn't provide an explicit hyperlink that the data on their server is "confidential." What I fear is that some non-technology savvy judge will actually follow this same train of thought and rule against Reuters. Is this ridiculous? Yes. Is it unfortunately all too real of a possibility? Yes as well.

PS - I checked Netcraft and they are running Windows 2000 [netcraft.com] . Is it any surprise that their security guys would believe that data freely available on their server is secure if they also think a server on Win2k is secure in the first place?

Re:Not everyone in the world is a /.'er (1)

trezor (555230) | more than 11 years ago | (#4554438)

Ok. This is probably offtopic, flamebait or both. It wasn't ment as it though, but here goes.

As long as the sysadmin is so absolutely clueless it really doesn't matter wheter he uses IIS or Apache. But people like this are called IT-proffesionals you know. You know those guys with MSCE-certification and magic-'reboot or reinstallation fixes all'-powers and all :)

Whoopie. (2)

lewp (95638) | more than 11 years ago | (#4554334)

Unless it was stated somewhere that the information was internal or unpublished (I didn't see that said anywhere) and if it was available on a public server (it apparently was), I don't see how even a court of law could find fault with Reuter's actions (and I'm not much into giving credit to the judicial system at this point).

In the court of clue (heh, I made that up!) they should be charged with three counts of public stupidity. One, for putting the information on a publicly reachable server in the first place if it was that important that no one see it yet. Two, for not protecting said information beyond just not linking to it from anywhere. Three, for suing. I'm just getting damn tired of companies suing people and each other because they don't understand their own technology at this point.

Now, how they got the URL might be another story if there was an employee who leaked it or something, but I wouldn't be surprised if the explanation was simply all their earnings reports were available as files in the same directory as earnings-200x.html.

Doesn't seem very serious of Intentia (4, Informative)

nordicfrost (118437) | more than 11 years ago | (#4554337)

I always thought the golden rule was "If you don't want anyone on the 'net to to see it, don't publish it!". That's what we use on our site, if a new music video is to be published monday at noon, it is uploaded 11:59 and linked 12:00.


AFAIK: There hasn't been a case like this in Scandinavia, so it could be interesting to see the outcome. Having read quite a lot of Norwegian and Swedish judgements on the subject, I think Intentia don't have a case as long as Reuters did not break any protection to get the documents.

A URL is an Address. (1)

Troy H Parker (600654) | more than 11 years ago | (#4554338)

An internet address is like any other address. Is it illegal to find someones house by giving directions to it?

When are people going to stop thinking of URL's and Domain names as trademarks, and more like Addresses?

Not always (1)

upside (574799) | more than 11 years ago | (#4554448)

URLs can contain session data such as usernames and passwords for processing by cgi-scripts, in which case meddling with those can be seen to constitute hacking.

Look! A snake! (5, Insightful)

adolf (21054) | more than 11 years ago | (#4554342)

Funny stuff, this.

I'm going outside, right now, with copies of some of my own financial statements.

I'm going to throw them onto the Main Street sidewalk, and stand just near enough to the pile that I can serve hastily-drawn lawsuit papers to anyone who dares to look.

The documents are undeniably my property, after all. Nobody has the right to see them unless I erect a big fucking sign pointing them out, even if they are scattered about a public walkway.

[Moral for the sarcasm-impaired: If you don't want your information to be public knowledge, now or ever, don't let it be publicly available. At all.]

google cache discussion over again... (1)

proxybyproxy (561395) | more than 11 years ago | (#4554346)

What a lot people dont seem to realise, is that the google toolbar [google.com] is allowed [google.com] (but apparently doesn't [webmasterworld.com] ) to send back the URLs you visit, and toolbars (like alexa) and spyware do send back URLs you visit for indexing.

Furthermore, even if an engine like google didn't get the link from the toolbar, it could still get it from someones refererlogs.

If you don't want someone to read it - don't put it online.

A decent writeup, and an interesting question... (5, Informative)

Thalia (42305) | more than 11 years ago | (#4554351)

Here is a decent writeup [theregister.co.uk] from The Register. The accusation is that "results could only be accessed via a 40 character ID code." Now whether this is an extended address, or a password is unclear. It also notes that there are a couple of other firms that have also accused Reuters of hacking into their systems to get early access to reports.

Actually, this does raise an interesting question. If a page is put on the web that cannot be spidered, and cannot be reached from any publicly available page, can we assume that anyone who accesses that page has some sort of unauthorized information? I have never heard of hackers systematically trying IP addresses for content. And it is in fact likely that Reuters got the info from an employee... in violation of the employment agreement.

This should be a fascinating case, and not nearly as easy as the writeup makes it seem.

Thalia

Re:A decent writeup, and an interesting question.. (1)

upside (574799) | more than 11 years ago | (#4554407)

Yeah, as usual everyone has rushed to make their own conclusions without bothering to think of plausible explanations other than stupidity. I can think of two ways in which Intentia could have a point: 1. A URL is not always just an address. If the URL contains session data such as a session key or password, the URL is in effect the upstream channel of a client-server connection. Manipulating the URL is then similar to altering packets in an IP stream. 2. The page isn't linked from anywhere and hasn't been used previously. Options Indexes is off. Now, if someone fetches the pages it's probable evidence of either a leak or a previous hack into the system.

Re:A decent writeup, and an interesting question.. (0)

Anonymous Coward | more than 11 years ago | (#4554415)

The 40 character ID code:

http://www.intentia.com/reports/latest/we_are_go in g_down_the_pan.pdf

Anybody could have guessed that ^_^

It is Lotus Domino... (5, Informative)

Cpt_Corelli (307594) | more than 11 years ago | (#4554428)



Please note that they are using Lotus Domino [lotus.com] as their web server. This means that there are no physical directories that you can chmod or "look into".

The URL contains the Domino internal document ID (similar to a GUID) and I still can not understand how Reuters "guessed" that. Sounds to me like this is an internal leak...

unlisted numbers (3, Insightful)

cosyne (324176) | more than 11 years ago | (#4554360)

In other news, dialing unlisted phone numbers without the express written consent of the number's owner is now a criminal offense.

Krikey. I just don't know where they find people this stupid. Same goes for this deep linking crap. Maybe people should have to pass some sort of test before they get to use the Internet. Otherwise the have to use AOL until they at least understand that anything you post to the web could be publically accessible.

Similar situation in the Petswarehouse case (0)

Anonymous Coward | more than 11 years ago | (#4554363)

One of the defendants in the Petswarehouse case was accused of "hacking" into the petswarehouse site. He did this by altering one digit of a URL.

After he placed an order, it sent him to a page that was a simple URL that contained an order number. That page displayed ALL of his info, including credit-card number. He decided to see what would happen if he changed a single digit in the order number. Imagine his suprise when he saw some other customer's order complete with CC number!

Petswarehouse actually tried to get the FBI to charge him with computer crimes for this amazing display of L88T HAX0R skillz. (sorry, I suck at hacker speak!)

For info about the case, see:
http://petsforum.com/psw/Docket.htm

email i sent the webmaster and investor relations: (2, Insightful)

ferrocene (203243) | more than 11 years ago | (#4554367)

From: "ferrocene"
To: ,

Subject: Re: Lawsuit @ http://www.intentia.com/w2000.nsf/pages/PR_5BBD3A

If an unauthorized page isn't met with a 404 or 403, you did somehting wrong. You have an incompetent webmaster. The proper way to remove a book from the library isn't to remove the card catalog, it's to remove the book.

-erik-

Here in France (4, Informative)

OrangeSpyderMan (589635) | more than 11 years ago | (#4554370)

For the record, there was a case recently here in France where a judge ruled in favour of a person who hacked the website of Tati, a retailer. In fact the only tools the hacker used were a regular browser, and the information was insufficiently protected. French speakers can read more here [kitetoa.com] . Google should be able to help the others :-). While this case isn't the same, in France this has made jurisprudence that information that isn't protected at all from basic navigation tools, can't be considered to be "stolen", even if the original intent was not to publish it.

What about google? (1)

Frnak (556880) | more than 11 years ago | (#4554372)

I'm no expert on how search engines work, but what if google had indexed the page (or whatever they do) first? Would google be sued then? Reuters did nothing wrong by accessing Intentia's server and Intentia knows it. It's just a humiliating situation for the company and now the need to find someone to blame.

The fact that Reuters published information that they (possibly) knew wasn't yet published could be seen as something you shouldn't do. But then again, if it's secret don't put it on the web.

One final word: .htaccess

Like when the ATO was "hacked" (3, Funny)

bovril (260284) | more than 11 years ago | (#4554376)

A few years back someone found they could get other people's details from the Australian Tax Office's site by manipulating the URL (that's the impression I got anyway). An ultra-quick googling turned this [abc.net.au] up. What happened to this guy? I can't remember. All I can remember is that he sounded really embarrassed when he was being interviewed and was referred to as a "hacker".

Dilbert speak. (1)

Chrysophrase (621331) | more than 11 years ago | (#4554383)

Our mission is to pursue the perfect partnership, providing security in our customers' transformation to collaborative business models.

Who are they kidding here? A little common sense goes a long way.

Oh shit.. (2)

Scooter (8281) | more than 11 years ago | (#4554388)

I typed in a channel number on my Sky remote the other day and found this shopping channel. I didn't use the on screen guide to select it - will they have to lock me up for obtaining secrets about the new "Tipo-Magico, action-pumpo, baby-gizmo" ($99 only available on this channel) ??

And as for all those URLs I typed in - *gulp* I never knew I had so much hacking talent - I'll bet I'm on every most wanted list going - Reuters only did one and their onto them! Perhaps I better just turn myself in now..

no case here (2, Interesting)

Dexter's Laboratory (608003) | more than 11 years ago | (#4554389)

Seems like the document wasn't protected, and also, why publish something if they don't mean to publish it? Thirdly, wouldn't it be possible that google and other search engines have found this document and indexed it?

Getting in thru the open window (0)

Anonymous Coward | more than 11 years ago | (#4554393)

Oh yeah. That's the whole point. I lock my home and walk away - keeping an window open. The bloke jumps in thru the window. If this isn't illegal, what is?

Well.... (3, Funny)

mshiltonj (220311) | more than 11 years ago | (#4554395)

A small Swedish information technology company Monday filed criminal charges against news service Reuters PLC for obtaining an earnings report from a Web page it considered private.

What a bunch of dumbasses.

"The incident has severely damaged confidence in us as individuals and in Intentia as a company," says Björn Algkvist, CEO of Intentia International AB.

Translation: Now the whole world know we are a bunch of dumbasses. We have to blame someone.

What the law says: (5, Interesting)

Albanach (527650) | more than 11 years ago | (#4554397)

There's some discussionon the law - of course mainly American law which has little to do with whether it was legal or not where the crime actually happened.

If they were to prosecute in the UK - I note Reuters replied to the allegations from their London HQ - here's what the law says:

Computer Misuse Act (1990)
Unauthorised access to computer material

1.--(1) A person is guilty of an offence if--

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be directed at--

(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.

(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

So, it's quite straightforward really - if they can prove Reuters knew they weren't supposed to be looking at that material, then if the access was from the UK, a crime was committed.

If Reuters can argue they didn't know the material was private, there is no case to answer.

Going back to the points some others have made about the information being publicaly accessible with no .htaccess protection, clearly this doesn't matter. If, for example, you were to make a clcik through that had to be viewed before you could see any of the content that stated the information was confidential then someone not supposed to be viewing it would be committing a crime to do so.

Re:What the law says: (2)

Mr_Dyqik (156524) | more than 11 years ago | (#4554434)

Reuters can also argue that when the file was copied to the webserver, with no secure access controls, In-whats-its-name-it-sounds-like-every-other-solut ions-provider specifically authorised public access to the document. That's why you set up a webserver and connect it to the net after all.

Re:What the law says: (4, Funny)

mshiltonj (220311) | more than 11 years ago | (#4554442)

So, it's quite straightforward really - if they can prove Reuters knew they weren't supposed to be looking at that material, then if the access was from the UK, a crime was committed.

You are not authorized to follow this hyperlink without first obtained written permission from me. [mshiltonj.com]

Reality? (3, Informative)

AlCoHoLiC (67938) | more than 11 years ago | (#4554398)

IMHO this PR stunt is an attempt to take the eye off their not so good results. According to the report Intentia's revenues declined by 14% during the period Jan-Sep 2002 and their operating margin is very close to ZERO.

IANAL, but I think they're stepping on thin ice because report was already uploaded to public accessible server and thus it should be considered published. Even if there was no hyperlink pointing to it Intentia didn't take any protective measure to restrict the access to the report. Reuters didn't have to circumvent any security measures so they can be hardly accused of hacking. And since the report was on public server they can't be accused of unathorized access. Another possible scenario is that Reuters've got the information about the document location from an insider, but the report was already accessible by public so i can't see any wrongdoing.

Shades of Survivor! (1)

Guiness17 (606444) | more than 11 years ago | (#4554409)

Did any other fans of the original Survivor immediately think of the (in)famous 'Gervace X' scam pulled off by CBC?

A synopsis:

When a 'survivor' was voted off, they would place his picture with a red X over it on the site.

When Survivor popularity skyrocketed, CBC placed pictures with Xs of all characters, except one, on the site. But they only linked those who had already been voted off.

They got mucho free publicity from all media outlets, as they scrambled to interview the 'hacker' who had manually typed in the URL's to locate the pictures, tried to located the firm who did the web design, etc.

Intentia's mission statement ... (4, Insightful)

ukryule (186826) | more than 11 years ago | (#4554411)

Our mission is to pursue the perfect partnership, providing security in our customers' transformation to collaborative business models.

Which roughly translates to: 'we want to use the internet securely'.
They then put some confidential information on their public website, and sue the first people to read it ... Doh!

Intent+Action makes it wrong (2, Interesting)

blastedtokyo (540215) | more than 11 years ago | (#4554418)

IANAL and I don't care if it's legal or not but I think it's still wrong what Reuters did.

There's no doubt that the company that let their financials get out were completely moronic about their security. That, however, does not change whether or not it was wrong to hunt for this information. It's no different from the 'she was wearing something revealing so i have the right to rape/sexually harass her' fallacy.

It comes down to what the intent was and what the resulting action was. First, the Reuters reporter was probably looking for the data that wasn't released yet. He had intent to get something he wasn't supposed to have and get a story out of it. It's no different from someone with binoculars eying a payphone at an airport to steal calling card numbers from people who don't cover their keypads when dialing and then publishing the number/selling it/or using it to call some people.

The second half of the equation is what they do with it. Reuters had a scoop to gain by publishing this information early. If the reporter used this information to short the stock before it was released, that'd be illegal too. Think if we were dealing with something other than a press release. What if it was child pornography? Someone surfs to a random URL and finds child pornography. He could argue that he ran into it by accident, closed the browser and forgot about it. He's probably not going to be in too much trouble. But if he posts the link up on slashdot claiming the story's about linux, emails it to 1000 people, prints the pictures and mails copies to the police, then he's definately guilty. Here reuters found it and published it to get a story out of it. They acted on it and gave away something that wasn't theirs.

Register article from yesterday (0, Redundant)

babycakes (564259) | more than 11 years ago | (#4554425)

here [theregister.co.uk] .

www.intentia.cx (2, Funny)

The Smith (305645) | more than 11 years ago | (#4554429)

Hello! We have been informed by our lawyers that we need to attach some sort of warning to this financial statemtent. So here you are: If you are under 18, are not an employee of Intentia, or are working for a major international news organization, please don't read it. Thanks!

Similar to Petswarehouse.com case (2, Interesting)

Anonymous Coward | more than 11 years ago | (#4554432)

One of the defendants in the Petswarehouse case was accused of "hacking" into the petswarehouse site. He did this by altering one digit of a URL.

After he placed an order, it sent him to a page that was a simple URL that contained an order number. That page displayed ALL of his info, including credit-card number. He decided to see what would happen if he changed a single digit in the order number. Imagine his suprise when he saw some other customer's order complete with CC number!

Petswarehouse actually tried to get the FBI to charge him with computer crimes for this amazing display of L88T HAX0R skillz. (sorry, I suck at hacker speak!)

For info about the case, see:
http://petsforum.com/psw/Docket.htm

Company philosophy (5, Funny)

rovingeyes (575063) | more than 11 years ago | (#4554450)

From their website :

Our vision is to become the leading global collaboration solutions vendor by supplying our customers with tomorrow's solutions today.

Well as I see it Reuters only kept in line with their philosophy. So why are they pissed?

As with porn... (0)

Anonymous Coward | more than 11 years ago | (#4554461)

It's their own damn fault if you can type a 2 in place of 1 in www.sweetass.com/jailbait_1.jpg

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>