The moment of truth - update on the eTicket scandal

In the past few days, the CYA operations continued through the press. However, as we all know it, facts are stubborn things and if you add in that software bears a lot of evil complexity, you can be sure that what may break will break and the nasty truth will sooner or later manifest itself.

So here are a few nuggets, really just the most fascinating things I've bumped into:

T-Systems international has weighed in

... and after a bit of compulsory "they're not us" (or clarification of legal the relationships between the companies, if you will) made it clear that they think the hacker guy should have been indeed rewarded and not prosecuted and they asked the Hungarian companies (Magyar Telekom and T-Systems Hungary) to support the ethical hacker guy by all means. This is very positive and 100% in line with what I expected to happen. Also, a nice proof that couch activism or slacktivism can work.

The contract for the system was signed a day before the launch

I've also heard that they have been working on it for only three months, but as I stated in my previous post, I think that this could be built in a better quality in two weeks. The fact that the contract was signed the day before the launch (and three days after the planned launch) suggests that indeed they didn't even have 3 months. But most importantly it hints that the goal was to make it live for the FINA championship, which is of course very far from being a real professional or business requirement (quite the contrary actually), thus it's hard to think of any driving force but politics.

Users' data have leaked

One of the news sites that has been covering the scandal since the beginning seems to have talked to a (real) hacker who seems to have had a lot closer look at the system than the young guy from the previous post. They have proven with a screenshot of a JSON file that user data was indeed extracted from the system. It contains sensitive personal information (email addresses, encrypted passwords, and ID card/password numbers) and also some settings, UI properties (including CSS styles). It's hard to tell the source of the data because some parts suggest that it must have been returned by an API (e.g. the UI properties), others make it look unlikely (hashed passwords) and more like a poorly designed database. Either way, it doesn't look good irrespectively of the hack.

Fun fact: BKK+TSystems made candid claims last week at the first press conference that the system was secure, users' data were safe and there is no need to take the system offline. This specific leak is claimed to have happened on the 16th, two days after the launch and the '50Ft' hack and two days before the press conference.

It's been taken offline, but it's our fault

OK, maybe not mine and not yours, but definitely not theirs either. It's the hackers, the internet, but definitely not the software. But if the software is safe and secure (see above), then what problems can attacks cause? At first, you'd think since they talk about availability, that it's a DoS attack again. (The BKK home page was made unavailable for quite some hours on the 21st when the ethical hacker was arrested.) But it's not: the above page loads pretty quickly. No, it doesn't come seem to come from a CDN, it is served from the same IP address as a few days ago.

And if it's not a DOS, then it leaves us with the option that somehow the software itself is not really resistant to hacking. Even though during the last week's press conference we've been told that it was originally as secure as the average Hungarian web shop, but since the launch, they made it even more secure. Now I don't know the Hungarian average, and how it has been calculated or even what it means at all (do large and obviously secure ones have the same weight as my left neighbour's misconfigured Magento and righ righ neighbour's unsecurable WooCommerce/WordPress site?), but if I was a webshop owner, I'd be pretty much pissed off.