Election Section

SAN JOSE, Calif. — It’s the talk of Silicon Valley: How did someone break into the voice mail of Hewlett-Packard Co.’s chief financial officer, snag a sensitive message from his boss, Carly Fiorina, and leak it to the local newspaper? 

HP executives were shocked. But experts in phone systems and computer security say they’re not surprised — largely because voice mail is digital and is stored on computers. 

“If you don’t want it publicized, don’t say it digitally,” said Bruce Schneier, founder of Counterpane Internet Security Inc. “Don’t put it in e-mail, don’t record it in a voice mail, don’t put it in a Power Point presentation. Basically, all of this stuff is vulnerable.” 

The issue arose Wednesday, when the San Jose Mercury News reported that a March 17 message Fiorina left for CFO Robert Wayman had been anonymously forwarded to one of its reporters. 

The newspaper printed a transcript of the message and made the audio clip available online. 

In the message, left two nights before shareholders voted on HP’s $19 billion acquisition of Compaq Computer Corp., Fiorina told Wayman she was worried that Deutsche Bank Asset Management and Northern Trust Global Investments would reject the deal. 

“We may have to do something extraordinary for those two to bring them over the line here,” Fiorina told him. 

The message was particularly timely because HP is being sued over allegations it improperly coerced Deutsche Bank to support the deal. In fact, the lawsuit threatens the entire deal. 

So how could such a sensitive message get out? 

HP executives won’t publicly discuss any theories, and have threatened legal action against the thief if he or she is caught. 

Several scenarios are rather low-tech: Someone close enough to Wayman to know his voice mail password doesn’t like the Compaq deal, found the message and sent it to the Mercury News. Or Wayman wasn’t careful with his password and wrote it somewhere in his office, where someone untrustworthy found it. Or Wayman forwarded the message and it was in turn passed along to a fervent opponent of the merger. 

There are more complicated, more technical possibilities that include such voice mail features as back-door entries for administrators, who can cover their tracks, and on some networked systems, the potential to capture a user’s password. 

As many a geek at Hewlett-Packard well knows, voice mail messages generally are converted into chunks of data that get stored on computer hard disks. 

However, messages do not show up in most systems as discernible files, and are converted back into their original, audible form only when someone enters the mailbox’s password, said Marty Parker, a vice president with Avaya Inc., a New Jersey-based maker of voice and data systems. 

“So even a technician would have to change the password to play a message, and the user would know a password had been changed,” Parker said. And even if a company archives deleted voice mails, “it would take quite a bit of skill and knowledge to abuse the backup system.” 

The breach was a hot topic this week among the engineering and technical minds of Palo Alto-based HP, where employees tend to communicate internally through voice mail more than by e-mail. 

“I’ll guarantee that HP didn’t do everything possible to make their voice mail secure,” Schneier said. Most companies “think about network security — they don’t think about voice. Maybe now they’ll start.”