Press, Blogs, and Security


My apology from earlier this week has landed in the Salt Lake Tribune. The article is entitled "A Hack Attack? Oops!" which is a pretty good headline, but the article characterizes what I did as hacking "into the state Web site." This is, of course, inaccurate, but probably how most non-techies would see it. There was actually no hacking. The tool operates entirely by asking the system to retrieve URLs from the public Web site interface and then noting the response. Weaknesses and vulnerabilities were probed and cataloged. These vulnerabilities were not exploited: no data was changed on the system (other than what normally happens when a user visits the system). The system wasn't broken into. There are a few interesting things about this story related to blogging:

  • This ended up in the paper because I'm a (minor) public figure in Utah. My blog allowed me to talk to people in my own voice independent of the newspaper. That was a big plus.
  • The article quote my blog extensively. My public voice on my blog became my voice in the article. It also saved Rebecca the time of calling and making a lot of notes which, of course, are never complete. This made for more acccurate reporting.
  • The blog doesn't seem the same as a press release (which would have been discounted) because its written for a different purpose and in my own voice. The blog has a readership, press releases don't have readers.

The article says that the State Bureau of Investigation will be reviewing the incident to "see if there are any implications for state policy." I can think of a few, but they're not appropriate to post publicly.