Can You Believe What You Read?
by Michael Stutz
9:45am  16.Sep.98.PDT

When The New York Times on the Web was hacked Sunday, the site was shut
down for more than nine hours after technicians unsuccessfully fought a
group of hackers for control of the system. 

"This is something that all news media and all people who have credible
information need to look out for," said Rich Meislin, editor in chief of
electronic media at The New York Times. "Someone could have tampered with
a minor detail in a story and that would have not been detected quite as

But Meislin said that he or another editor would have found the spoof
quickly enough and taken corrective action. 

"One of our readers or editors would have got to it" he said. "We tend to
live around our site." Meislin confirmed that the Times site is viewed
millions of times every day. 

In this case, the site's content was replaced with a mocked-up page of
political statements. But what if a bogus, but very real-looking, news
story had been posted, or hackers had tampered with an existing story to
spread misinformation? 

Nielsen said that the company's subscriber list was not touched during the
hack and no stories in its archives were modified. 

"If anything had been altered, or anything was changed, I would think that
we'd know it." 

But would they? The potential for creating misinformation is very real,
said the editorial director of The Gate, the Web site for the San
Francisco Chronicle, San Francisco Examiner, and several TV stations. 

"What happens if someone posts a faux Gate?" said George Shirk. "What if
it contains serious libel or a virus? 

"We do the best we can under the circumstances to protect ourselves in a
variety of different ways. However, it is very sobering indeed when the
Times gets hacked," Shirk said. 

A member of a Boston-based hacker collective called the L0pht said the
hack was interesting, but not for the reasons most of the media have
focused on. 

"Here we have an organization whose purpose is to distribute accurate
information to the general public," said the hacker, a network security
expert who calls himself "Mudge." 

"Given their goal of distributing accurate information and their choice
for one of the vehicles to be the World Wide Web, one would imagine that
the security and integrity of the information they are publishing would be
important to them." 

That said, Mudge raised the question: "If their site was hacked in such an
obvious fashion -- where the intruders replaced their Web site -- how long
were more subtle changes being done? How can anyone trust the information
distributed by the Times in good faith after this?" 

Information-warfare and computer-security expert Winn Schwartau said the
damage done if a cracker were to modify or add a story would be

"There's an awful lot of caveats in that statement, but [it would]
certainly do a tremendous amount of damage,"  Schwartau said. 

Mudge, who earlier this year testified before Congress on the topic of
information warfare, said there was no easy solution to the problem. 

"If there was one magical thing that could be done, do you think
[security] would even be an industry?" he said. 

The crackers' motive, according to Times spokeswoman Nancy Nielsen, was
not to modify stories but to attack Times reporter John Markoff for his
coverage of imprisoned cracker Kevin Mitnick. 

What if the crackers had modified the text of Kenneth Starr's report on
the Times site, for example, changing the facts in even a minor way? 

"If something like that were to happen, and a story was altered in a way
that was noticeable -- maybe if they added an outrageous fact -- a reader
or Web viewer would notice it within minutes,"  Nielsen said. "They would
call us, it would come to our attention, and then we would address it." 

In other words, the same process used for correcting errors in newspapers
would be applied online. 

"I don't know why this pops to mind, but somehow, the pages in The New
York Times, it's like knowing your own children -- you know it so well,
that if there's one thing that's wrong, you spot it immediately," Nielsen
said. "Or somebody will, and bring it to our attention." 

Schwartau said that if some kind of digital signature mechanism were to be
put in place, text could be at least be verified as accurate. 

"You need to be part of the Public Key Infrastructures in one way or
another,"  Schwartau said. "Either you'd be using PGP (Pretty Good
Privacy), PK, [or] Certification Authority -- some of those types of
mechanisms do a certification...  of the validity or integrity of the
data.  That's all doable, and there's certainly been an ongoing nationwide
effort to establish things like that." 

But right now, news media don't use these "integrity wrappers" on their
digital content, Schwartau said. 

According to Nielsen, the Times' current systems have been certified by
security consulting firms. The paper has the kind of in-house security
team one would expect, she added, but declined to provide any details. The
site underwent a security audit by Bellcore two years ago. 

Certified by a security consulting firm, yet the site was broken
into and the web page defaced. Bellcore did the audit two years ago, but 
is not said to do ongoing certification. This seems like a cheap shot NYT is
using to place blame elsewhere.

"Bellcore did some auditing work for us a couple of years ago, when we had
our start-up site in Illinois," said Nielsen. "Now we have totally
different hardware, it's here in New York, and as you know with
technology, a 2-year-old report is like 100 years old." 

New hardware, new operating systems, by their own words. Yet they
are dragging Bellcore into this?

While Bellcore conducted security assessments on the site, they did not
"certify" it as secure. 

"Bellcore does not 'certify' a Web site as secure," the company said
Tuesday in a statement. "Instead, we conduct security assessments designed
to provide customers with a realistic appraisal of security-related
features and functions of their network and systems." 

Schwartau agreed that Web-site security certification does not work. 

"You can't certify something," said Schwartau. "That's absurd. You cannot
certify something like this. The only way to certify it is to turn the
power off."