The focus of today’s exposé is: “the ethical hacker who takes on the oppressive state.”
The international press have recently picked up a local story about a "Hungarian teen arrested for exposing major security flaw in public transit website,” also known as the “Hungarian hacker arrested for pressing F12.” Even POLITICO Europe’s Playbook got into the act, reporting that the story has Hungarians complaining about how authorities arrested “the one guy who is trying to help” and that it has produced much “cynicism.”
According to the alternative facts, we have an 18-year old “ethical hacker”, who exposed a serious security flaw in Budapest public transport’s new, smartphone-based ticket system, and in return, was “dragged out of bed in the middle of the night” by police and thrown in jail. In this story, the big bad wolf is the Hungarian state. The news outlets that enjoy belittling those pesky Eastern Europeans implied that such events would not have happened in more civilized countries; other states would’ve been happy for the help from a smart kid and would’ve rewarded him instead of punishing him.
The police knocked on the young man’s door at 7 o’clock in the morning – which counts as the “middle of the night” for teenagers and apparently some journalists — to question him about hacking the Budapest public transport system. I’ll admit that it must have been an unpleasant surprise. Needless to say, in cases like these, the police is not acting on orders from the national government. Law enforcement remains separate and independent.
After word got out, the situation soon escalated when a virtual crowd mobilized to destroyed the rating of the Center for Budapest Transport (BKK) on Google Apps and Facebook. Last Monday, in the pouring summer rain, some Hungarians protested in front of the transport authority, demanding freedom for the ethical hacker.
Unlike the police, the protestors were knocking at the wrong door. T-Systems, the private company that developed the mobile app, was the one that filed a complaint with the police, not the public transport authority —which, by the way, is overseen by the local municipality of Budapest and not the national government.
At the time of the protest, the “ethical hacker” was already at home because, contrary to the reports, he was only questioned by the police, not arrested.
From the rather confusing letter that the young man had sent to BKK, informing them about the security flaw that he had discovered, the police felt the need to ask questions. The hacker in fact had demanded a cut from the company’s public procurement revenue, which may be interpreted as an attempt to blackmail.
“It may be surprising that I am only 18 years old and I did not even make such mistakes when I was only 13…Just saying,” the hacker boasts, “because at MÁV [the state railway company] I was able to buy a ticket completely for free and on Szerencsejáték Zrt.’s website [the state gambling company] I was able to create money for myself.”
The story here takes a turn because some — including the police — wondered whether the hacker had “ethically” reported his break-ins and if there were any unknown breaches that the hacker had kept secret. These are legitimate security questions.
As of this writing, it seems that the hacker has indeed been trying to behave ethically. Both the state railway and the gambling company thanked him for exposing such flaws. Apparently, the real story is that we have a clever teenager who is keeping an eye out for major IT vulnerabilities. Two state companies thanked him, one (BKK) did not respond, and a private company, T-Systems, chose to report him to the police. This complaint, combined with the tone of his letter, is what raised suspicions and prompted the police to bring him in for questioning.
Last Tuesday morning, information surfaced that T-Systems does not take kindly to these so-called ethical hackers. In fact, it is not the first time the company has turned to the police on such matters. Additionally, Index.hu’s recent article tells us the story of another ethical hacker, András, who had been offered a job by T-Systems. When they saw his salary request, according to the article, they decided to report him to the police.
Last week, GovCERT, Hungary’s national cyber security institution operating under the national special services released an ad emphasizing that ethical hackers could report any security flaws to the government, anonymously if they want. If they want to disclose personal data, the agency will handle it confidentially. Furthermore, the mayor of Budapest announced that T-Systems will have to correct the app they delivered to BKK, on their own expense.
You won’t read these details in the international coverage of the story, those articles that depicted the “backwards police state of Hungary vs. the ethical hacker.” Often, it’s the details they leave out – because they were sloppy or because the simpler version fits their narrative – that make these news items fake. This ethical hacker story should serve as a reminder to the professional journalist who is concerned about getting the story right: be skeptical and careful about your sources.