(Too) Easy Access

Computerworld - On Thursday afternoon, Oct. 24, Swedish software vendor Intentia International AB uploaded its financial results to its Web server more than an hour before the company was scheduled to announce them officially. Minutes later, the Reuters news service found the information there and broke the news immediately - sending Intentia executives scrambling to release it themselves. Last Monday, Intentia filed a criminal complaint with the Swedish police, accusing Reuters of breaking into its Web server. And how did Reuters hack into Intentia's financial data? By typing a URL into a Web browser.
Yep, that's it. Intentia initially claimed the financial results were protected with a 40-character password. But after Reuters denied using any passwords to get the data, Intentia changed its story, saying just that the financial results were in a "private" area of the Web server and there was no official link to them.
In other words, the financial results - which by law weren't supposed to be made available on the Internet before they were also released to the Swedish stock exchange and newspapers - weren't actually protected at all. The Reuters "break-in" consisted of guessing the right file name, based on announcements of previous Intentia results.
And anyone could have made the same guess.
OK, if you're in a corporate IT shop, you're probably rolling your eyes right about now. You know Intentia shouldn't have left confidential information unprotected. You can probably even recite the ways it could easily have been kept secure. For example, by keeping it on the Web server in encrypted form, and only decrypting it at the last minute. Or by giving it a highly random, hard-to-guess file name that would only be changed to a conventional name at the last minute. Or by using file permissions to prevent the file from being accessed, and changing them only at the last minute.
Then again, the easiest way to protect that information would have been simply to not upload it to the Web server until the last minute. Because if it's not on the server, it can't be on the Web.
Seems obvious, doesn't it? But it wasn't obvious to the investor-relations people at Intentia - a company that sells "e-collaboration" software and plans to get into Web services, so you'd think its employees would have a handle on this newfangled Internet stuff.
Nor is it obvious to plenty of other users who really do have the idea that as long as there's no official link to it, information on a Web server is