Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL 271
thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."
Re:Wouldn't it have been easier (Score:3, Informative)
Bang the Table???? (Score:3, Informative)
Yup, recently someone in pandasthumb.org quoted someone famous saying, "If the law is on your side, bang on the law, If facts are on your side, bang on the facts, if neither, bang on the table".
Comment removed (Score:4, Informative)
Re:Library analogy (Score:4, Informative)
Nothing like that at all.
They were told the url by someone.
They entered it into their browser and got a everyday normal web page.
They clicked on the menu items and printed out the pages.
No guessing involved. No typing (other than the initial url) involved.
The 3727 is probably the number of request logs on the web server from them, counting all the images/css/js/etc files to make it look larger.
If they were slightly technical they might have done:
wget -m http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au]
but that would be *more* typing...
Re:Was it... (Score:4, Informative)
And it's not open any more - nswtransportblueprint.com.au is now completely off-line.
So they went from Security through Obscurity to Streisand Effect to Slashdot Effect ... but now that their server has melted, at least nobody can "hack" it, so I guess they're happy campers.
Re:Answer: (Score:3, Informative)
Sorry, but your argument fails almost immediately.
The url had already been "published" in the legal sense - as soon as someone leaked it to the reporters. There was no guesswork here. The reporters are part of the general public, and the disclosing of the url, without a prior agreement to keep it confidential, meets the legal definition of "to publish", same as a defamation suit only needs the words to be "published" to any 3rd party, not the entire population.
Re:Wouldn't it have been easier (Score:5, Informative)
Sorry, but the submitter got at wrong.
No, you did.
A secret URL is essentially a password
Wrong. There is no such thing as a 'secret' URL. This was an unpublished URL, which is not the same thing as a secret.
A secret is something that everybody involved knows not to divulge. A HTTP URL is transmitted in plaintext, URLs are stored in plaintext in your browser's history, they are sent as a referrer when you click on a link in a page or when you load an external element, they are stored in plaintext in your server's logs - they are the exact opposite of secret.
Re:Entropy (Score:4, Informative)
They were given this url http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au]
They went there.
They hit Print
They followed the pretty linkies
They hit Print some more
They wrote a story about it.
No password dialog. No secret subdomain. No secret subdirectory. No login required. No user session or password. No .hosts entry. How is that "hacking"?
There was no guesswork involved, so there was zero bits of entropy in this example, unless they were drunk at the time and had to retype it, in which case it's their own entropy pool, not the servers' /dev/urandom, that is being probed.
Re:Wouldn't it have been easier (Score:1, Informative)
A string anybody can guess with enough persistence? Why even bother with the "correction"? Passwords have the same weakness as "unlisted numbers" and "secret URLs". They mitigate it by using enormous key spaces. URL key spaces are of comparable size to password key spaces. The problem is using a crap secret, not merely keeping a secret.
Re:Lock, what lock? (Score:3, Informative)
Re:Answer: (Score:3, Informative)
You are sooo full of crap. Instead of reading the comments and telling me to RTFA, go RTFA yourself, like I did. They didn't have to guess a url. They were given the base url, and that was ALL that anyone needed to get access to every other page, same as http://slashdot.org/ [slashdot.org] gives you access to this sites contents. Don't you know how the web works yet?
Re:Entropy (Score:3, Informative)