Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL 271
thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."
Deja vu again once more (Score:3, Insightful)
Wasn't there a story like this about ten years ago, but it was something concerning grades or test scores on a college website?
Lock, what lock? (Score:4, Insightful)
There, fixed that for you, Mr. Minister.
Really? (Score:5, Insightful)
Are there no IT Pros that work for the government?
I read stories like this and I think "Theres no way they could be monitoring my traffic, they can't even set up basic login authentication for their websites"
I love the name of the web hosting outfit: (Score:5, Insightful)
"Bang the Table".
Methinks we have found a new tag for articles about politicians who are bit by their own stupid security practices. Release Word file with revision history still in it? Bang the table. Secret government data stolen because of malware you downloaded from a porn site? Bang the table.
Re:Lock, what lock? (Score:5, Insightful)
There, fixed that for you, Mr. Minister.
There, fixed that for you.
Re:Lock, what lock? (Score:4, Insightful)
Re:Question: (Score:4, Insightful)
Its always possible to bring up charges .. whether they are warranted or provable is a totally different thing
Re:fuckfuck (Score:5, Insightful)
But your method doesn't take into account the time it takes an M&M to rest and get into full fighting form between bouts. Thus if the first M&M you come across is the strongest it is still likely to lose simply because it has to face fresh competitor after competitor. Even your fingers raise the core temperature of the competitor high enough after a few bouts to induce softening leaving the M&M weaker against its rested cooler-cored foe.
Solution: Set up a randomized tournament system where you take two M&Ms at random from the rested pack, test them, and put the winner in a separate pile to rest until the pack is empty. Then repeat tournament again between the now rested victors of the first round. Repeat until there is only one.
Still not far enough. (Score:5, Insightful)
The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn their own head in a busy, public marketplace and look at a billboard.'
Don't want people reading your web site? Put it behind a login. Anything else is just sophistry to cover up incompetence. Web sites are advertisements first and foremost. The whole point is to make it possible for as many people as possible to read your thing. If you want to exclude certain people from being able to view it, then you shouldn't just put a billboard up where you think it's out of the way and hope nobody notices, you should put it behind a door which requires a key to get in.
Re:Lock, what lock? (Score:3, Insightful)
The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to a single attempt to turn the doorknob of an insecure office and kindly accept the 3,727 highly confidential documents that the receptionist hands to you.'
There, fixed that for you, Mr. Minister.
There, fixed that for you.
Having RTFA, I fixed that for you. Doesn't look like there was any brute-forcing of the URL involved, just surfing around retrieving pages and images.
Re:Wouldn't it have been easier (Score:1, Insightful)
Well, considering that he accessed an unknown wireless network and didn't have the laptop configured to VPN back to a trusted network, he was lucky that he just stumbled upon someone even less security-minded than himself.
Proper configuration is not to connect to unknown wireless networks and only configure WPA(2) protected networks. Autoconnecting to unsecured networks is just as stupid as offering them.
Re:Was it... (Score:3, Insightful)
It wasn't even a back door, the front door was wide open!
Re:Lock, what lock? (Score:3, Insightful)
Re:tubes from their door to my keyboard (Score:5, Insightful)
How about a car analogy?
This isn't like breaking the window on a Civic and tearing out the stereo system that cost more than the car.
This isn't like opening the unlocked door on a Prius and and taking someones cd collection they left on the passenger seat.
This isn't like reaching through the open window of a hummer and snatching a stick of gum.
This is like getting on a public bus, and using your cell phone to snap pictures of the graffiti on the wall.
Re:Two Robots in Front of a Judge (Score:4, Insightful)
If you put a billboard in a back alley, is it "private look only" just because you don't advertise its existence with a billboard on a major highway?
Re:Wouldn't it have been easier (Score:5, Insightful)
The problem with that analogy is that passwords are by default 2 factor authentication: you need a username and a password.
That's not really the case with a url. A better analogy would be walking around a building on a public street, and looking in windows. It's legal, but morally suspect.
Re:Wouldn't it have been easier (Score:5, Insightful)
I wouldn't call putting something up on the internet, completely out in the open with no protection whatsoever, and then simply hoping no one will find it because you didn't announce its presence, "essentially a password".
If the internet is a forest and I protect my valuables by sitting them underneath a tree far from civilization and tell no one they're there, should I be mad if someone looking around the forest for valuables takes them all? No. Either you don't put your valuables in the forest or you put them in a big honking safe that no one can break into or walk off with.
Re:Wouldn't it have been easier (Score:5, Insightful)
A secret URL is essentially a password
More like an unlisted phone number.
Re:Wouldn't it have been easier (Score:1, Insightful)
A better analogy would be walking around a building on a public street, and looking in windows. It's legal, but morally suspect.
Unless you're a newspaper researching what your government is up to - in which case it's your job.
Media like this never prosecuted (Score:2, Insightful)
Re:Two Robots in Front of a Judge (Score:5, Insightful)
It's like getting an unlisted telephone number and using your secret plans as your answering machine message.
Nothing like entering without permission.
Fun w/ Numbers (Score:1, Insightful)
The number of "violations" being bandied about is probably actually the number of individual GET requests by the web-browser(s) against the web server.
On a media-rich web-site, (which this probably was, since nobody want to actually read anymore), one could probably rack up that many GET requests simply by loading a couple dozen logical pages. (Since every href results in yet another GET...)
Also, they used the browser to print the web-pages. Depending on the web-browser and the cache-ability of the documents already viewed, the browser may have had to GET all of the pieces AGAIN just to print the document!
Is that 3,727 requests to the http server? (Score:2, Insightful)
I noticed a few people reacting to the 3,727, as if it was some sort of brute-force attack to get a URL.
If that was 3,727 requests to the http server, I think that wouldn't be very much. That is, reading a web page with graphical elements would, I would think, involve a dozen or so http requests -- more if there were lots of little icons and what not. Two journalists looking at a dozen such web pages a few times each would run up that number pretty quickly. (Can someone with more networking experience than I have check my thinking?)
And, of course, a decent firewall logs all requests, including legitimate requests.
So, I would guess that this is just the politician grabbing a number that sounds large to him, and ascribing significance it doesn't have.
Raises important points about security (Score:3, Insightful)
In nearly every home in the US, let alone the world, the doorways are locked with $5 pieces of tin and maybe a tiny bolt of metal shoved through some wood. There is little challenge to defeat these locks, either through picking or just jostling the door open or breaking the jamb. Furthermore, it's often the case that the doors are not locked at all, or perhaps a window is left open, or unlocked, and it's just assumed that since it's a second story window, that nobody would try it.
So many of these homes are invade by thieves. And yet, there is no question that those invading were violating a law.
If you enter a public place, rules tend to change. Despite the doors not being locked, I can walk into a grocery store and not feel like I've trespassed because it's a business and that's expected. However, I've often seen unmarked doors in dark corners of large stores, or even doors marked "Employee Only" or maybe an unlabeled staircase leading to who-knows-where. I know I'm not welcome in those areas, and if I entered one and was subsequently accosted for it, should I be shocked?
Now we start talking about computers, and their presence on public networks. To me this is some kind of bizarre combination of the two previous physical scenarios. The computers themselves are viewed as having the privacy rights of the house, where-as their offering and the environment in which they make the offer is more like the store, or even another unmentioned public situation: A public park. So how do we come to the conclusions we make? Why is "security by obscurity" not enough to justify criminal charges to those who would violate it?
Or, if you see things the other way, then I ask why you think that the public accessing a publicly offered machine is somehow unlawful, even if they are walking through those otherwise unmarked doors or looking for out-of-the way staircases?
Just because a person doesn't break a lock to get into a home doesn't mean it's not breaking and entering, and just because a door at a store is unmarked doesn't mean the person's trying to break the law either. In the internet, your computer is knowingly placed in the public arena with open attempts at making it easy for the public to find and access, yet somehow accessing an unadvertised part of that computer is a violation?
I don't think the answers are clear but I do think some of the associated assumptions on both sides are questionable. It's interesting to thing about at least. Who has the responsibility here, is it the site admin's responsibility to batten down every hatch or is it reasonable to expect people not to snoop around? You tell me...