Monday, September 10, 2012

Hacking the Budget

This year, Treasury decided to cut the cost of presenting the Budget by releasing a smartphone app, allowing them to reduce the number of paper copies they printed. Someone was curious about this, so they used FYI, the public OIA request website, to request a copy of the app's source code. They were unsuccessful, but a subsequent request attempting to discover why turned up an interesting fact: someone tried to use the App to hack the Budget:

Of greater concern is that release of the code would cause significant security risks to the integrity of the Budget app, as well as premature release of future Budget material, which potentially could be market-sensitive. This is something we are particularly conscious of given last Budget attempts were made to infiltrate servers and reverse engineer the Budget app to gain early access to Budget-sensitive information.
This is big news; I wonder whether the police have any suspects? Maybe some journalists should ask and see?

As for their claim that this justifies refusal to release information, security through obscurity isn't. The way you ensure security is by publishing code so that bugs can be found well in advance, not by hiding it and hoping no-one notices if you've done a bad job.