http://www.wired.com/news/news/technology/story/15033.html Can You Believe What You Read? by Michael Stutz 9:45am 16.Sep.98.PDT When The New York Times on the Web was hacked Sunday, the site was shut down for more than nine hours after technicians unsuccessfully fought a group of hackers for control of the system. "This is something that all news media and all people who have credible information need to look out for," said Rich Meislin, editor in chief of electronic media at The New York Times. "Someone could have tampered with a minor detail in a story and that would have not been detected quite as easily." But Meislin said that he or another editor would have found the spoof quickly enough and taken corrective action. "One of our readers or editors would have got to it" he said. "We tend to live around our site." Meislin confirmed that the Times site is viewed millions of times every day. In this case, the site's content was replaced with a mocked-up page of political statements. But what if a bogus, but very real-looking, news story had been posted, or hackers had tampered with an existing story to spread misinformation? Nielsen said that the company's subscriber list was not touched during the hack and no stories in its archives were modified. "If anything had been altered, or anything was changed, I would think that we'd know it." But would they? The potential for creating misinformation is very real, said the editorial director of The Gate, the Web site for the San Francisco Chronicle, San Francisco Examiner, and several TV stations. "What happens if someone posts a faux Gate?" said George Shirk. "What if it contains serious libel or a virus? "We do the best we can under the circumstances to protect ourselves in a variety of different ways. However, it is very sobering indeed when the Times gets hacked," Shirk said. A member of a Boston-based hacker collective called the L0pht said the hack was interesting, but not for the reasons most of the media have focused on. "Here we have an organization whose purpose is to distribute accurate information to the general public," said the hacker, a network security expert who calls himself "Mudge." "Given their goal of distributing accurate information and their choice for one of the vehicles to be the World Wide Web, one would imagine that the security and integrity of the information they are publishing would be important to them." That said, Mudge raised the question: "If their site was hacked in such an obvious fashion -- where the intruders replaced their Web site -- how long were more subtle changes being done? How can anyone trust the information distributed by the Times in good faith after this?" Information-warfare and computer-security expert Winn Schwartau said the damage done if a cracker were to modify or add a story would be considerable. "There's an awful lot of caveats in that statement, but [it would] certainly do a tremendous amount of damage," Schwartau said. Mudge, who earlier this year testified before Congress on the topic of information warfare, said there was no easy solution to the problem. "If there was one magical thing that could be done, do you think [security] would even be an industry?" he said. The crackers' motive, according to Times spokeswoman Nancy Nielsen, was not to modify stories but to attack Times reporter John Markoff for his coverage of imprisoned cracker Kevin Mitnick. What if the crackers had modified the text of Kenneth Starr's report on the Times site, for example, changing the facts in even a minor way? "If something like that were to happen, and a story was altered in a way that was noticeable -- maybe if they added an outrageous fact -- a reader or Web viewer would notice it within minutes," Nielsen said. "They would call us, it would come to our attention, and then we would address it." In other words, the same process used for correcting errors in newspapers would be applied online. "I don't know why this pops to mind, but somehow, the pages in The New York Times, it's like knowing your own children -- you know it so well, that if there's one thing that's wrong, you spot it immediately," Nielsen said. "Or somebody will, and bring it to our attention." Schwartau said that if some kind of digital signature mechanism were to be put in place, text could be at least be verified as accurate. "You need to be part of the Public Key Infrastructures in one way or another," Schwartau said. "Either you'd be using PGP (Pretty Good Privacy), PK, [or] Certification Authority -- some of those types of mechanisms do a certification... of the validity or integrity of the data. That's all doable, and there's certainly been an ongoing nationwide effort to establish things like that." But right now, news media don't use these "integrity wrappers" on their digital content, Schwartau said. According to Nielsen, the Times' current systems have been certified by security consulting firms. The paper has the kind of in-house security team one would expect, she added, but declined to provide any details. The site underwent a security audit by Bellcore two years ago. Certified by a security consulting firm, yet the site was broken into and the web page defaced. Bellcore did the audit two years ago, but is not said to do ongoing certification. This seems like a cheap shot NYT is using to place blame elsewhere. "Bellcore did some auditing work for us a couple of years ago, when we had our start-up site in Illinois," said Nielsen. "Now we have totally different hardware, it's here in New York, and as you know with technology, a 2-year-old report is like 100 years old." New hardware, new operating systems, by their own words. Yet they are dragging Bellcore into this? While Bellcore conducted security assessments on the site, they did not "certify" it as secure. "Bellcore does not 'certify' a Web site as secure," the company said Tuesday in a statement. "Instead, we conduct security assessments designed to provide customers with a realistic appraisal of security-related features and functions of their network and systems." Schwartau agreed that Web-site security certification does not work. "You can't certify something," said Schwartau. "That's absurd. You cannot certify something like this. The only way to certify it is to turn the power off."