MS ruling leaked through security blunder
Published: 05 Nov 2002 09:25 GMT
A security specialist is highly critical of apparent procedural inadequacies which saw the long-awaited judgment in the Microsoft anti-trust case posted online almost two hours before its official release. Stephen Martin, a senior security consultant with SMS Management Technology in Melbourne, said whoever posted the information online before its planned release time was severely underestimating the risk that it would be located early.
Martin said "it seems that the information may have been in the hands of people who didn't understand its sensitivity".
The incident would "...raise procedural questions about who managed the information from its conception through to its release."
Reports from the US indicate court staff placed the judgment on its Web-site at 2:40 p.m. on Friday, ahead of its scheduled release time. The reports indicate court staff did not release a link to the information, assuming this would adequately secure the documents from external access.
The judgment was supposed to be published online at 4:30 p.m., half an hour after printed copies were to be given to Microsoft and government lawyers. At this time, the court was planning on releasing a link to the document files that were already on their web site, hence making them public.
Someone was able to figure out where the documents were on the court's Website before the link was released. The URL was not difficult to guess, and the US court's web server is set up to allow results to be easily accessed once they have been put online.
The judgment was placed online in several PDF electronic documents. They were found in a directory named "Opinions/2002/Kotelly". The judge's name is Colleen Kollar-Kotelly.
Anyone familiar with the way in which these judgments have been published online in the past would not have had any trouble finding the documents.
The file was not password protected in any way, and the court's Web server is configured to allow users to browse through directories when they don't know the name of the file that they are looking for.
A reader of technology news portal slashdot.org posted a link to the judgment documents that the editors promptly published on their news page at 3:33pm.
It's been reported that over 4,000 slashdot readers read the judgment before 4:30pm, the time that it was supposed to be released.
This is not the first time that an organisation has accidentally released sensitive information in this way.
Last month the third quarter profit results for Swedish software company Intentia were accessed, and then published, by the Reuters news agency before their scheduled release.
Intentia had put the information on its website before its release time and assumed that no one would find it.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
50 out of 119 people found this useful
- Share this article:
