Back when Magyar Nemzet was the Orbán government’s leading propaganda vehicle, it was practically an everyday occurrence that the prosecutor’s office, the police, and the national security offices leaked information to the paper that the government wanted to use against its political opponents. Now that Magyar Nemzet is a respectable newspaper, it is Magyar Idők’s job to indicate the government’s intentions and perhaps even give guidance to all the other government propaganda outlets as to what the official line is.
After two weeks of embarrassment over the irresponsible management of the Budapest Transit Authorities (BKK) and T-Systems’ shoddy e-ticket software, the decision was made to divert attention from this incompetence to an alleged conspiracy that would conveniently involve Index, one of the few quality news sites left in Hungary. This government ruse has the added benefit of being a frontal attack on an independent media outlet that was recently purchased by Viktor Orbán’s domestic archenemy, Lajos Simicska.
To summarize the sequence of events, here are a few facts that are necessary to understand the story. On July 13 BKK made the announcement that at last e-tickets can be purchased on its website. The procedure will be fast and reliable. The purchaser will have a bright green e-ticket on his smart phone that will allow him to use BKK’s transportation system.
Index has a number of journalists who specialize in internet technology. They test new software and report on its reliability and usefulness. As soon as BKK announced the availability of the e-ticket, one of Index’s “tech experts,” Balázs Tóth, purchased a one-day ticket and traveled all over the city, hoping to encounter a ticket controller to see how well the system was prepared for the change. Without going into the details, it turned out that they are not and the whole experiment was a nightmare. The story was told in an article that appeared on July 14 at 12:01.
A few hours later (16:31) Balázs Tóth wrote another article in which he reported that after the appearance of the first article Index received an incredible number of e-mails from people with similar experiences. Among the many such letters was the one from the 18-year-old high school student who became known later as the “ethical hacker.” All the details of his story can be found in my article titled “Another grain of sand on the pile: The e-ticket fiasco,” but here I will focus on this second Index article, which has turned out to be a critical piece of “evidence” according to Magyar Idők, showing Index’s guilt in the massive cyber attack against BKK, intended to create chaos during the World Aquatic Championships.
From this second article we learn that after receiving the ethical hacker’s e-mail, the Index folks got in touch with BKK, telling the company about glitches in the program that allows users to change the price of the tickets. We also learned here that by that time BKK had a chance to read the ethical hacker’s e-mail, his e-ticket had already been deleted. This piece of information will become important later when we try to cast doubt on Magyar Idők’s accusation.
So, let’s move on to the article Magyar Idők published today, which is supposed to expose “an organized cyber attack planned and executed by the ‘ethical hacker’ and Index.” The proof? The timeline prepared most likely by some national security agency attached to the ministry of the interior.
This timeline is as follows. BKK ascertained that the ethical hacker entered its website at 12:49 on July 14–that is, 48 minutes after Index’s first article appeared about the deficiencies of the system. After looking around and discovering the glitch, he bought a ticket at 13:38, which means that it took him one hour and 17 minutes to find the coding error. A little more than an hour later, at 14:49, he sent an e-mail to the wrong address, but soon enough he realized his mistake and sent another e-mail to the proper address at 15:11. I should add something here that the Magyar Idők article omits. Sometime after his first e-mail to BKK, the young man also fired off a letter to Index. At 15:33 Index sent an e-mail to BKK in which Balázs Tóth told the company about the glitch that allows people to buy tickets for practically pennies and asked them a number of questions.
These questions were passed on to Magyar Idők by, I assume, BKK and published verbatim by Zsolt Bayer in an editorial titled “The BKK affair: A bunch of lies,” which appeared in the same issue. Index wanted to know whether the problem was already solved or not, when will the system be secure, will they change the method of password use, and other technical questions. They waited an hour. When the paper still hadn’t received an answer, Balázs Tóth published his article in which he revealed the glitch. He added that Index had contacted BKK but no answer came, but they will “refresh” the article as soon as they hear. And indeed, when the BKK’s meaningless answer arrived, Index updated the article. BKK didn’t answer any of the questions but assured Index that despite extensive internet attacks, the system was working fine and was accessible and usable. BKK claimed from the very beginning that there was an automatic system that precluded any possibility of abuse. BKK also claimed that after the incident further security measures were introduced into the system.
But that was not the end of the story. Once the hackers out there in cyberspace suspected that BKK’s site was vulnerable, they bombarded it with thousands of attacks, the result of which was that the whole site had to be shut down. Magyar Idők considers this to be a criminal act, part of a huge conspiracy between the boy, Index, and who knows who else. The proof is the 22 minutes that elapsed between the ethical hacker’s e-mail to BKK and Index’s e-mail to BKK. First of all, since we know that the e-mail Index passed on to BKK was the one ethical hacker wrote to the wrong address at 14:49, the time between the boy’s purchase of an e-ticket and Index’s letter to BKK was not 22 minutes as Zsolt Bayer claims but more like an hour. But even 22 minutes is a very long time in our cyber world. Our sophisticated high school student, after discovering the error, immediately fired off an e-mail (sometime after 14:49) to Index. Once the internet savvy journalists who specialize in information technology checked out the system and found that the information they received was correct, Index immediately wrote to BKK. They waited an hour. No answer came.
Bayer finds Index’s handling of this particular case unethical because in his opinion it was unfair to give BKK “less than an hour to check the information provided by Index to compile the required information.” But Bayer is mistaken. As I pointed out earlier, BKK, by the time it had received Index’s questions, knew about the illegal purchase of an e-ticket and had already deleted the boy’s transaction. BKK didn’t have to spend hours discovering something it already knew. BKK’s eventual answer clearly indicates that the company had no intention of admitting any security problems and wanted to maintain that all was just fine. In brief, they didn’t want any help from anyone because, as far as they were concerned, there was no problem in the first place.
Magyar Nemzet pointed out that today’s world of rapid fire publication of news items online doesn’t allow the luxury of waiting for hours on end or even days with an article that one considers important and newsworthy. Index did what it was supposed to do and what all other internet news sites do. Bayer’s whole conspiracy theory rests on very shaky grounds.
But what is really worrisome is that the Magyar Idők article, based most likely on leaked information from the authority that is working on the case, maintains that the ethical hacker’s individual action was the “introductory act” of the coordinated denial-of-service cyber attack that came a few hours later. Normally there are 300-400 hits per second on that particular site, but that afternoon they numbered 13,000. Within an hour almost 47 million hits were received. As a result the whole system collapsed.
All this indicates to me that both the ethical hacker and Index should look for good lawyers because the cyber security cops will do their best to make them responsible for the subsequent collapse of the system.