Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL 271
thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."
Wouldn't it have been easier (Score:2)
Re: (Score:3, Informative)
Re: (Score:3, Funny)
Re: (Score:2, Funny)
first, i'm not sure what this has to do with the post.
second, I do the EXACT same thing :)
that is all
Re:fuckfuck (Score:5, Insightful)
But your method doesn't take into account the time it takes an M&M to rest and get into full fighting form between bouts. Thus if the first M&M you come across is the strongest it is still likely to lose simply because it has to face fresh competitor after competitor. Even your fingers raise the core temperature of the competitor high enough after a few bouts to induce softening leaving the M&M weaker against its rested cooler-cored foe.
Solution: Set up a randomized tournament system where you take two M&Ms at random from the rested pack, test them, and put the winner in a separate pile to rest until the pack is empty. Then repeat tournament again between the now rested victors of the first round. Repeat until there is only one.
Re:Wouldn't it have been easier (Score:5, Insightful)
The problem with that analogy is that passwords are by default 2 factor authentication: you need a username and a password.
That's not really the case with a url. A better analogy would be walking around a building on a public street, and looking in windows. It's legal, but morally suspect.
Re: (Score:2)
A better analogy would be calling random phone numbers to see if you get any to ring. When you finally get a phone number to ring, it has a voice mail on it and doesn't even prompt for a password.
Re:Wouldn't it have been easier (Score:5, Insightful)
I wouldn't call putting something up on the internet, completely out in the open with no protection whatsoever, and then simply hoping no one will find it because you didn't announce its presence, "essentially a password".
If the internet is a forest and I protect my valuables by sitting them underneath a tree far from civilization and tell no one they're there, should I be mad if someone looking around the forest for valuables takes them all? No. Either you don't put your valuables in the forest or you put them in a big honking safe that no one can break into or walk off with.
Re:Wouldn't it have been easier (Score:5, Insightful)
A secret URL is essentially a password
More like an unlisted phone number.
Re: (Score:2)
More like an unlisted phone number.
More like if we had a phone system where you typed in the name of the person you want to call and it connects, and you type in the name of a person who isn't listed in the official phone directory.
Re:Wouldn't it have been easier (Score:5, Informative)
Sorry, but the submitter got at wrong.
No, you did.
A secret URL is essentially a password
Wrong. There is no such thing as a 'secret' URL. This was an unpublished URL, which is not the same thing as a secret.
A secret is something that everybody involved knows not to divulge. A HTTP URL is transmitted in plaintext, URLs are stored in plaintext in your browser's history, they are sent as a referrer when you click on a link in a page or when you load an external element, they are stored in plaintext in your server's logs - they are the exact opposite of secret.
Re: (Score:2)
Do you work for the Tuttle, OK government?
Was it... (Score:5, Funny)
http://www.australia.gov.au/backdoor [australia.gov.au] ?
Robots.txt (Score:2, Funny)
User-agent: * /highly_confidential_documents/
Disallow:
Hack-delay: >9000
Re: (Score:3, Insightful)
It wasn't even a back door, the front door was wide open!
Re:Was it... (Score:4, Informative)
And it's not open any more - nswtransportblueprint.com.au is now completely off-line.
So they went from Security through Obscurity to Streisand Effect to Slashdot Effect ... but now that their server has melted, at least nobody can "hack" it, so I guess they're happy campers.
Re:Was it... (Score:5, Funny)
reminds me of the time i hacked my friend's fridge for a can of beer when he was out of the room for a moment
Two Robots in Front of a Judge (Score:5, Funny)
NSW Server: *nods solemnly*
NSW Lawyer: I see
NSW Server: *pauses and swallows loudly* Three
*crowd gasps*
NSW Lawyer: I see. Now, I know this is hard for you but could you please point to where, exactly, on this anatomically correct server doll the Sydney Morning Herald accessed you from.
NSW Server: *turns the server doll over and motions to the ports* Here on the back, in my ethernet port.
*sounds of disgust ripple through the crowd*
NSW Lawyer: And what did he say to you when this was happening?
NSW Server: GET.
NSW Lawyer: 'GET' what?
NSW Server: He just kept saying GET, GET, GET! GET this document. GET that document.
NSW Lawyer: And did you get it for him?
NSW Server: No it didn't exist! They just weren't there!
NSW Lawyer: And what did you say exactly!
NSW Server: 404! 404, goddammit, 404
NSW Lawyer: There there. There there, it's okay. You're safe now. *turns to the judge* Can we let this sort of gross injustice go unpunished in today's society? How long before this happens to your server? Or
NSW Judge: *nods approvingly*
NSW Lawyer: I rest my case.
Re: (Score:2)
Domain Name: nswtransportblueprint.com.au
Registrant: BANG THE TABLE PTY LIMITED
Registrant Contact ID: R-000428733-SN
Registrant Contact Name: Karthik Reddy
Registrant Contact Email: Visit whois.ausregistry.com.au for Web based WhoIs
Name Server: ns10.dnsmade
Re: (Score:2)
Bang the table?
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Oh god, if I had mod points I wouldn't just mod this up, I'd track down all your other posts and mode them up too!
This is the most glorious....
Re:Two Robots in Front of a Judge (Score:4, Insightful)
If you put a billboard in a back alley, is it "private look only" just because you don't advertise its existence with a billboard on a major highway?
Re:Two Robots in Front of a Judge (Score:5, Insightful)
It's like getting an unlisted telephone number and using your secret plans as your answering machine message.
Nothing like entering without permission.
Urgent notification to all: (Score:5, Funny)
We have enhanced the security of our secret intranet site with immediate effect. The new enhanced security intranet site is SECRETnswtransportblueprint.com Please update your bookmarks. To allow our braindead minister who can not remember a password and is frightened when confronted with a login dialog to use the site, we have disabled the login requirements for all. So please keep the url confidential.
Signed
Assistant to the Minister D Umbi Diot
Re: (Score:2)
This is modded funny, and it is, but it's also most likely true. Having been in the same situation with a prominent UK gov site I can confirm that it was frequently the practise to put unpublished URLs live without authentication so that the high-ups could access them (we had dev and test environments but their firewalls were locked down and their IT guys wouldn't open them up, they were loathe to open them even for the people who needed them for development and testing!).
Eventually after the URLs escaped a
Deja vu again once more (Score:3, Insightful)
Wasn't there a story like this about ten years ago, but it was something concerning grades or test scores on a college website?
Re:Deja vu again once more (Score:4, Funny)
Re: (Score:2)
However, I think the parent was referring to to the harvard admissions website (business school maybe?) where people could figure out if they got in early by playing with the URL. IIRC Harvard took the douche route and decided not to admit those who tried this. I would hope they eventually realized that when someone posts simple URL changing instructions to a business website, peoples curiosity will kick in...
Re: (Score:3, Interesting)
Re: (Score:2)
Were there any lawsuits filed? I certainly wouldn't want to go to any school I had to sue to get in (and I imagine that if I got into HBS, I could get in somewhere else)...but I can see the plight of a person who read a forum post that said "decisions already posted! the link isn't up yet but you can just change &profile= to &decision="
seems like something *anyone* reading it might try...
Lock, what lock? (Score:4, Insightful)
There, fixed that for you, Mr. Minister.
Re: (Score:2)
Re: (Score:2)
Exactly, logic says if you don't want it read by the public, don't host it on a public webserver. There are plenty of analogies here, but you're right, there was no lock or even a partially closed door. This doesn't equate well to the physical world unless you want to say they were invited into the room with no door on it, a room filled with artworks, and under a few of the paintings is a small sign with fine print that says 'please don't look at this painting'. Some of us are getting used to standards in w
Re: (Score:2)
FTA:
- We got a tip on Friday that you could read the government's transport plan by accessing a website called, unsurprisingly, nswtransportblueprint.com.au.
- Even we did not need help to type in those letters. No password was requested or offered.
- Instead we were confronted with a dream menu for any reporter: rail services, cycleways, walking and cycling, bus services, paying and road network.
So the analogy here is being told there's a really juicy book in a library at this specific location, but the book
Re:Lock, what lock? (Score:5, Insightful)
There, fixed that for you, Mr. Minister.
There, fixed that for you.
Re: (Score:3, Insightful)
The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to a single attempt to turn the doorknob of an insecure office and kindly accept the 3,727 highly confidential documents that the receptionist hands to you.'
There, fixed that for you, Mr. Minister.
There, fixed that for you.
Having RTFA, I fixed that for you. Doesn't look like there was any brute-forcing of the URL involved, just surfing around retrieving pages and images.
Re: (Score:3, Informative)
Re:Lock, what lock? (Score:4, Insightful)
No analogy needed (Score:3, Interesting)
Re: (Score:2)
that this is 'akin to 3,727 attempts to turn the doorknob of an insecure office and make copies of highly confidential documents.
Makes you wonder if the reporter had typed in "http://nswtransportblueprint.com.au/project" on the first try instead of the 3,727th try, would the government have been okay with that? If a reporter were outside an unlocked government door, pawing it 3,727 times before successfully opening it, that would be pretty strange, but doesn't change anything.
Re: (Score:2)
I RTFA, it was the first try. They were tipped off, entered this address: http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au] there was no login or any other user verification, so they then clicked on all the links, downloading each page as it was served to them.
In other words, (again I RTFA) the site was supposed to go public a few days later - they just got there early and scooped everyone else, being the evil ink-stained wretches that they are :-)
Re: (Score:3, Insightful)
Re: (Score:2)
It's like getting an unlisted telephone number and using your secret plans as your answering machine message.
Nothing about attempts to turn the doorknobof an insecure office and make copies of highly confidential documents
Still not far enough. (Score:5, Insightful)
The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn their own head in a busy, public marketplace and look at a billboard.'
Don't want people reading your web site? Put it behind a login. Anything else is just sophistry to cover up incompetence. Web sites are advertisements first and foremost. The whole point is to make it possible for as many people as possible to read your thing. If you want to exclude certain people from being able to view it, then you shouldn't just put a billboard up where you think it's out of the way and hope nobody notices, you should put it behind a door which requires a key to get in.
Re: (Score:2)
... what's the difference between a non-linked document where you don't tell people the URL and a site with a password?
Would guessing 3000 different passwords be as forgivable, even if the system doesn't cut you off? Is an easily-guessed URL any better than an easily-guessed password?
The difference is huge. Look at the way house insurance works - you leave a door open, you're not insured. You leave a window open, you're not insured. You have a crappy lock on the door that a five-year-old could bypass, you're insured and they're guilty of breaking and entering.
I don't know how it works everywhere else, but in the UK if there isn't significant indication that you shouldn't be somewhere then you aren't trespassing. Thus, an open doorway with a sign saying "No Entry" means you are trespassi
Reminds me of... (Score:5, Interesting)
However, no one was accused here, except the developpers of the solutions who were blamed. Now, Passport Canada still processes online passport requests, but applicants are no more able to view the details and advancement of their application online.
Re: (Score:2)
Really? (Score:5, Insightful)
Are there no IT Pros that work for the government?
I read stories like this and I think "Theres no way they could be monitoring my traffic, they can't even set up basic login authentication for their websites"
Re:Really? (Score:5, Funny)
Are there no IT Pros that work for the government?
Sadly, no ... they're all working for school districts in southern Pennsylvania.
Comment removed (Score:4, Informative)
Re: (Score:2)
Appraently, Yes. (Score:2)
Someone has secured the site, or deleted it. The link no longer works, and here I was going to look for a robots.txt file. Rats! Foiled again!. Not even a login prompt. It may be:[Agent86 voice] "they used the old use the /. effect to bring the server crashing down and thereby securing it from all those pesky hackers" trick.[/Agent86 voice]
Curiously, they specifically make it sound like all 3,727 page hits were from the hacks at the Herald, but clearly state the "some of them" came from the Herald. So, w
I love the name of the web hosting outfit: (Score:5, Insightful)
"Bang the Table".
Methinks we have found a new tag for articles about politicians who are bit by their own stupid security practices. Release Word file with revision history still in it? Bang the table. Secret government data stolen because of malware you downloaded from a porn site? Bang the table.
Re: (Score:2)
I don't know why but somehow this sounds right.
Seconded.
Question: (Score:5, Interesting)
Is it even legally possible to bring up criminal charges, considering the URL was completely unsecured?
Re: (Score:2)
Bring up? Sure. Successfully prosecute? That's up for debate.
Re:Question: (Score:4, Insightful)
Its always possible to bring up charges .. whether they are warranted or provable is a totally different thing
Answer: (Score:2)
Why, yes, yes it is.
First of all, define "completely unsecured". I'm pretty sure I know your definition, and if I had to vote I'd support it; but I'm also pretty sure I know their definition and it has a frightening amount of support. They will argue, and the courts might accept, that the non-publication of the URL constitutes "security", or an expectation of privacy, or whatever terms they need to feel good about filing charges.
This is a matter of technical knowledge. To a person who only knows how to f
Re: (Score:2)
the non-publication of the URL constitutes "security", or an expectation of privacy, or whatever terms they need to feel good about filing charges
That will be a scary day indeed.
All I will need to do is make a popular mis-spelling, claim my site was meant to be secured, and any and all visitors are intruders seeking to steal my private data, and then sue everyone listed in the logs.
slashhdot.org! Why they accessed my secret files!
Re: (Score:3, Informative)
Sorry, but your argument fails almost immediately.
The url had already been "published" in the legal sense - as soon as someone leaked it to the reporters. There was no guesswork here. The reporters are part of the general public, and the disclosing of the url, without a prior agreement to keep it confidential, meets the legal definition of "to publish", same as a defamation suit only needs the words to be "published" to any 3rd party, not the entire population.
Re: (Score:3, Informative)
You are sooo full of crap. Instead of reading the comments and telling me
Re: (Score:2)
A couple years ago I was searching for the name of an old friend from college. I got a few Google hits for his full name and followed one of them. It led to a page on a radio station website that had lots of confidential information including birth date, email address, home address, business phone/address, salary, *and* password information. I alerted the radio station immediately. The first response from them was accusatory, asking what I was doing hacking their site. I sent back an email to the person w
Yes.... (Score:2)
Daniel Cuthbert, who "hacked" the DEC charity website by using '../' in the URL. Convicted 2005.
http://www.samizdata.net/blog/archives/008118.html
Re: (Score:2)
It's Australia. They sent a man to prison for having a few naked drawing of Simpsons characters. I think they can find a way to charge anyone for just about anything they don't like.
Bang the Table???? (Score:3, Informative)
Yup, recently someone in pandasthumb.org quoted someone famous saying, "If the law is on your side, bang on the law, If facts are on your side, bang on the facts, if neither, bang on the table".
Why care about security when you can rule by fear? (Score:2)
Library analogy (Score:5, Funny)
'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.'
Much more like checking 3727 shelves in the public library looking for a copy of "internet security for dummies"
The funny part is both sides are fairly non-technical, meaning some "journalist" probably typed in all 3727 URLs.
Re:Library analogy (Score:4, Informative)
Nothing like that at all.
They were told the url by someone.
They entered it into their browser and got a everyday normal web page.
They clicked on the menu items and printed out the pages.
No guessing involved. No typing (other than the initial url) involved.
The 3727 is probably the number of request logs on the web server from them, counting all the images/css/js/etc files to make it look larger.
If they were slightly technical they might have done:
wget -m http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au]
but that would be *more* typing...
Re: (Score:3, Interesting)
No, the url was "published" in the legal sense - they were given it by someone.
No hacking involved.
They weren't the only ones to whom the url was "published", since several others also were grabbing the files at the same time. And the way they grabbed the files? Clicked on the menu and followed the links, then "Print".
The url in question? http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au]
No secret directories, no login required, no hidden subdomain, no .hosts file to exclude them, nothing. It was supposed to b
Re: (Score:2)
Re: (Score:2)
Entropy (Score:4, Interesting)
At what point does obscurity become security? 3,727 attempts corresponds to 12 bits of entropy. According to NIST [nist.gov], that's the equivalent of a 5-character user-selected password. The same document stipulates a mere 10 bits of entropy for some applications.
Re: (Score:2)
That's an interesting point. The same point could be made about other "mathematically" obscure things such as an IPv6 address. If all information was available online but some of it was password protected, what's the difference between guessing URLs and guessing passwords?
To answer my own question: the expectation of privacy. A password implies the expectation of privacy, while posting something that anyone can access with the right URL does not have the same implication to me.
Re: (Score:2, Interesting)
Obscurity becomes security when you have no reason for expectation of privacy :)
Re:Entropy (Score:4, Informative)
They were given this url http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au]
They went there.
They hit Print
They followed the pretty linkies
They hit Print some more
They wrote a story about it.
No password dialog. No secret subdomain. No secret subdirectory. No login required. No user session or password. No .hosts entry. How is that "hacking"?
There was no guesswork involved, so there was zero bits of entropy in this example, unless they were drunk at the time and had to retype it, in which case it's their own entropy pool, not the servers' /dev/urandom, that is being probed.
Re: (Score:2)
3000 "accesses" probably just means they looked at 30 pages with 100 images, scripts, and other elements that were all downloaded via separate requests/connections. But 3,727 is a better number to use when you're trying spin the journalists into villains.
Re: (Score:3, Informative)
Window analogy (Score:4, Interesting)
Just because a house has windows and they aren't covered by curtains does not mean that by looking through the window and reading an important document left near the window that you're aren't stealing info. An unlocked door also doesn't mean you have the right to open it either. Both are wrong.
Conversely, an unpublished website for a govt. agency... and they really thought that was secure? Buahhahhahhahhahha!
Re:Window analogy (Score:4, Interesting)
An unlocked door also doesn't mean you have the right to open it either.
However, leaving your "secret info" in a public place, like say, the MIDDLE OF THE STREET, does not entitle you to any form of protection.
No door was opened. The internet by definition is PUBLIC. That is the PURPOSE of the internet. If you create a website and put information on it that requires no authentication or other sort of credentials to access it, you have placed said information in the PUBLIC. Otherwise all search engines are repeatedly "hacking" every single site on the web. You know that there's a file called robots.txt that you can use to limit access from spiders. And you know there's something called a "password" to protect sensitive information.
Not only is it inexcusable that a public office would commit such an act of negligence as putting (presumably) sensitive information in a place where it can be accessed by anyone, they compound their ignorance by trying to go after people who stumble across it. There have been a lot of ridiculous things happening in Australia lately, but this one takes the cake.
Re: (Score:2)
"The internet by definition is PUBLIC. That is the PURPOSE of the internet."
That being said, then all websites on the web should be deemed public by default, but as we know that is not true. A city is road is public, but the car you drive on it is yours and is private. The poorly secured website that is a private webpage on that public internet highway. The information was not put out there for the public, there was an effort made by the entrant to purposefully look for info. Therefore, no matter how il
Re: (Score:2)
That being said, then all websites on the web should be deemed public by default,
What are you, a lawyer? Your view opens the door to endless litigation. Websites on the web ARE public, just as are IP addresses. You can't prevent someone from going to a web-site. However you CAN secure your website from unauthorized access. In the case you propose, it would be a "crime" to commit a typo and end up on the "wrong" page. In my case, just visiting the page won't get you the information I d
Re: (Score:2)
Re: (Score:2)
Good god man, where in heavens do you live?
This leads to the question of what is deemed "Valuable".
Is an IPOD more valueable than say an insurance card. Hell cars are stolen all the time for the basic components of the car. I know one guy who leaves a car at the airport, because he travels; he's gone for 2 days, and leaves nothing in the car of value. He returns to find the seats stolen out of his car. The seats from the manufacturer. So then what is deemed "valuable", in your country, seems awefully s
Lowell Maximum Security Prison? (Score:2)
I'd like you to consider that web-address "off-limits," as a favor to me.
Proposal for Australia (Score:5, Funny)
Re: (Score:2)
TL;DR:
Australia losez teh internetz, nao.
Media like this never prosecuted (Score:2, Insightful)
Plead stupid! (Score:2)
The best part. (Score:2)
"This is akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents..."
Clearly, if an office is making 4k hits trying to guess a single URL, it must be hacking! But wait, there's more...
Mr Campbell says there were about 3,727 unauthorised hits on the website, some of them from a computer belonging to a "Sydney media organisation".
Erm, that is to say, clearly if an undisclosed subset of 4k hits come from a newspaper office, then it must, uh, be a hacking attempt.
Right-o. Carry on then.
Too funny... (Score:2)
http://nswtransport.com/login?return_to=%2F [nswtransport.com]
I wonder if it would return
http://nswtransport.com/login?return_to=..%2F..%2F..%2Fetc%2Fpasswd [nswtransport.com]
Raises important points about security (Score:3, Insightful)
In nearly every home in the US, let alone the world, the doorways are locked with $5 pieces of tin and maybe a tiny bolt of metal shoved through some wood. There is little challenge to defeat these locks, either through picking or just jostling the door open or breaking the jamb. Furthermore, it's often the case that the doors are not locked at all, or perhaps a window is left open, or unlocked, and it's just assumed that since it's a second story window, that nobody would try it.
So many of these homes are invade by thieves. And yet, there is no question that those invading were violating a law.
If you enter a public place, rules tend to change. Despite the doors not being locked, I can walk into a grocery store and not feel like I've trespassed because it's a business and that's expected. However, I've often seen unmarked doors in dark corners of large stores, or even doors marked "Employee Only" or maybe an unlabeled staircase leading to who-knows-where. I know I'm not welcome in those areas, and if I entered one and was subsequently accosted for it, should I be shocked?
Now we start talking about computers, and their presence on public networks. To me this is some kind of bizarre combination of the two previous physical scenarios. The computers themselves are viewed as having the privacy rights of the house, where-as their offering and the environment in which they make the offer is more like the store, or even another unmentioned public situation: A public park. So how do we come to the conclusions we make? Why is "security by obscurity" not enough to justify criminal charges to those who would violate it?
Or, if you see things the other way, then I ask why you think that the public accessing a publicly offered machine is somehow unlawful, even if they are walking through those otherwise unmarked doors or looking for out-of-the way staircases?
Just because a person doesn't break a lock to get into a home doesn't mean it's not breaking and entering, and just because a door at a store is unmarked doesn't mean the person's trying to break the law either. In the internet, your computer is knowingly placed in the public arena with open attempts at making it easy for the public to find and access, yet somehow accessing an unadvertised part of that computer is a violation?
I don't think the answers are clear but I do think some of the associated assumptions on both sides are questionable. It's interesting to thing about at least. Who has the responsibility here, is it the site admin's responsibility to batten down every hatch or is it reasonable to expect people not to snoop around? You tell me...
Re: (Score:2)
Then dont put your UNLOCKED door in my house! This is the internets
This argument is used all the time, but it really doesn't apply. Leaving your door unlocked is not consent, implied or otherwise, for anyone to waltz on in.
That doesn't justify morons running the site in question, but like many anecdotal arguments, it doesn't hold much water in the real world.
Re: (Score:2)
True, but this was more akin to walking in to a library, and finding confidential documents in the general section right next to the Sunday newspaper (AKA, not behind any doors at all). All it took was knowing (or figuring out) where to look. There was no door here (if there was, it would have been in the form of a password or a DNS block (only allowi
Re:tubes from their door to my keyboard (Score:5, Insightful)
How about a car analogy?
This isn't like breaking the window on a Civic and tearing out the stereo system that cost more than the car.
This isn't like opening the unlocked door on a Prius and and taking someones cd collection they left on the passenger seat.
This isn't like reaching through the open window of a hummer and snatching a stick of gum.
This is like getting on a public bus, and using your cell phone to snap pictures of the graffiti on the wall.
Re: (Score:2)
Exactly and having a website on the internet is like not even having a door or even a house. It was all spread on the lawn for everyone to stop and see.
Re: (Score:2)
Re: (Score:2)
It's neither trespassing or breaking and entering. HTTP is a well known method of disseminating information. There are also well known ways of restricting access to information when you are disseminating it over HTTP. You can put it behind a firewall. You can restrict by IP ranges. You can give accounts with passwords to people who need to get it. No responsible organization can publish information on the web, not restricted by a firewall, not restricted by IP (which isn't very good anyway), not restr
Re: (Score:2)
If you had read the article you would know this wasn't a case of "guessing" the URL. The article states that they had a source that told them the EXACT url to use, and it doesn't involve a query string at all. This source (probably some lower level person inside the ministry in question) had knowledge of the new site, and what it contained, and they leaked this information to the journalists. This is 100% not hacking.
The URL in question is nswtransportblueprint.com.au. It isn't functioning now, but acco