Comment by gnfargbl

Comment by gnfargbl 2 days ago

15 replies

View on Hacker News

The real kicker is in point 1.13:

> website activity logs show the earliest request on the server for the URL https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl.... This request was unsuccessful, as the document had not been uploaded yet. Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses.

In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.

The report acknowledges this at 2.11:

> In the course of reviewing last week’s events, it has become clear that the OBR publication process was essentially technically unchanged from EFOs in the recent past. This gives rise to the question as to whether the problem was a pre-existing one that had gone unnoticed.

philipwhiuk 2 days ago

> In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.

The URLS are predictable. Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.

Reply View 5 replies
  • blitzar 2 days ago

    I used to do this for BOE / Fed minutes, company earnings etc on the off chance they published it before the official release time.

    2025-Q1-earnings.pdf - smash it every 5 seconds - rarely worked out, generally a few seconds head start at best. By the time you pull up the pdf and parse the number from it the number was on the wires anyway. Very occasionally you get a better result however.

    Reply View 0 replies
  • kypro 2 days ago

    This is so incompetent.

    Given the market significance of the report it's damn obvious that this would happen. They should have assumed that security via obscurity was simply not enough, and the OBR should have been taking active steps to ensure the data was only available at the correct time.

    > Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.

    It's not even just hedge-funds that do this. This is something individual traders do frequently. This practise is common place because a small edge like this with the right strategy is all you need to make serious profits.

    Reply View 3 replies
    • mjw1007 2 days ago

      They weren't in any way attempting to rely on security by obscurity.

      They didn't assume nobody would guess the URL.

      They did take active steps to ensure the data was only available at the correct time.

      But they didn't check that their access control was working, and it wasn't.

      Reply View 0 replies
    • stuaxo 2 days ago

      This setup was not initially approved, see 1.7 in the document:

      > 1.7 Unlike all other IT systems and services, the OBR’s website is locally managed and outside the gov.uk network. This is the result of an exemption granted by the Cabinet Office in 2013. After initially rejecting an exemption request, the Cabinet Office judged that the OBR should be granted an exemption from gov.uk in order to meet the requirements of the Budget Responsibility and National Audit Act. The case for exemption that the OBR made at the time centred on the need for both real and perceived independence from the Treasury in the production and delivery of forecasts and other analysis, in particular in relation to the need to publish information at the right time.

      Reply View 1 reply
kristianc 2 days ago

Part of this is a product of the UK's political culture where expenses for stuff like this are ruthlessly scrutinised from within and without.

The idea of the site hosting such an important document running independently on WordPress, being maintained by a single external developer and a tiny in-house team would seem really strange to many other countries.

Everyone is so terrified of headlines like "OBR spends £2m upgrading website" that you get stuff like this.

Reply View 2 replies
  • toyg 2 days ago

    It's not an easy call. Sometimes, one or two dedicated and competent people can vastly outperform large and bureaucratic consulting firms, for a fraction of the price. And sometimes, somebody's cousin "who knows that internet stuff" is trousering inflated rates at the taxpayer's expense, while credentialed and competent professionals are shut out from old boys' networks. One rule does not fit all.

    Reply View 1 reply
    • kristianc 2 days ago

      It would work if old boys' networks were not the de facto pool that the establishment hired from. The one time where UK GOV did go out and hire the best of the best in the private sector regardless of what Uni they went to we got GDS and it worked very well, but it seems like an exception to usual practice.

      Reply View 0 replies
lesuorac 2 days ago

> This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.

I think most of the tech world heard about the Nobel Peace Prize award so it doesn't seem that suspicious to me that somebody would just poll urls.

Especially since before the peace prize there have been issues with people polling US economic data.

My point is strictly, knowledge that they should poll a url is not evidence of insider activity.

Reply View 4 replies
  • accoil 2 days ago

    How does the Nobel Peace Prize figure into this? I seem to be on the other side that didn't hear about the award. Which is not surprising as I don't follow it, but also I haven't worked out query terms to connect it with OBR.

    Reply View 3 replies
    • lesuorac 2 days ago

      Somebody monitored the metadata on files to figure out who the winner of the nobel prize was prior to the official announcements by the candidate that was modified. Which they used to financially profit in betting markets.

      It relates to OBR because it's another scenario where people just by polling the site can figure out information that wasn't supposed to be released yet. And then use that information to profit.

      Since a recent event of polling was in the news the idea of polling isn't really evidence of an insider trying to leak data versus somebody just cargo-culting a technique. Plus polling of financial data was already common.

      Reply View 1 reply
      • earl_gray 18 hours ago

        Thank you for answering that person’s question so clearly. I was also in the dark and this really helped.

        Reply View 0 replies
    • jjmarr 2 days ago

      Because it was insider traded on Polymarket many hours before it was publicly announced.

      Reply View 0 replies
rahimnathwani 2 days ago

The report also says a previous report was also accessed 30 mins early.

Reply View 0 replies