Comment by philipwhiuk

Comment by philipwhiuk 2 days ago

5 replies

View on Hacker News

> In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.

The URLS are predictable. Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.

blitzar 2 days ago

I used to do this for BOE / Fed minutes, company earnings etc on the off chance they published it before the official release time.

2025-Q1-earnings.pdf - smash it every 5 seconds - rarely worked out, generally a few seconds head start at best. By the time you pull up the pdf and parse the number from it the number was on the wires anyway. Very occasionally you get a better result however.

Reply View 0 replies
kypro 2 days ago

This is so incompetent.

Given the market significance of the report it's damn obvious that this would happen. They should have assumed that security via obscurity was simply not enough, and the OBR should have been taking active steps to ensure the data was only available at the correct time.

> Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.

It's not even just hedge-funds that do this. This is something individual traders do frequently. This practise is common place because a small edge like this with the right strategy is all you need to make serious profits.

Reply View 3 replies
  • mjw1007 2 days ago

    They weren't in any way attempting to rely on security by obscurity.

    They didn't assume nobody would guess the URL.

    They did take active steps to ensure the data was only available at the correct time.

    But they didn't check that their access control was working, and it wasn't.

    Reply View 0 replies
  • stuaxo 2 days ago

    This setup was not initially approved, see 1.7 in the document:

    > 1.7 Unlike all other IT systems and services, the OBR’s website is locally managed and outside the gov.uk network. This is the result of an exemption granted by the Cabinet Office in 2013. After initially rejecting an exemption request, the Cabinet Office judged that the OBR should be granted an exemption from gov.uk in order to meet the requirements of the Budget Responsibility and National Audit Act. The case for exemption that the OBR made at the time centred on the need for both real and perceived independence from the Treasury in the production and delivery of forecasts and other analysis, in particular in relation to the need to publish information at the right time.

    Reply View 1 reply