An Open Letter to Judith Collins

To Hon. Judith Collins, MP

Hello Judith

I was interested to read your recent twitter posting regarding this morning’s “Anonymous” attacks on National Party websites:

I know the tech community can get very shrill and accusatory around these things, but I do want to give you some technical information that might allow you to take a different view on this, and understand that various types of activity labelled “hacking” are not at all related.

I think the best way to provide this information is to break down the parts of your tweet into various explanations. I’m completely open to further clarifications on the points below, and welcome any questions. I think it is incredibly important that our legislators are informed on these subjects, because it is inevitable that a majority of our commercial interactions will move online over time.

Hackers

“Hackers” is an very poorly defined term. Sometimes it can refer to people that like to tinker with electronics. It can also refer to criminals who genuinely break (or attempt to break) security on systems that they do not have permission to access.
In this particular case, it is more than likely that the group involved is nothing more than a loose affiliation of unskilled (or a mix of skilled and unskilled) internet users from New Zealand and elsewhere.

“Closed Down”

When you say “anti-GSCB hackers have closed down Government MPs websites” it leads me to think that you believe the people involved have some sort of access to the website systems and have used this to “turn off” the web sites, or components of the sites.
The more likely scenario is that the group involved have undertaken what we call a “Denial of Service Attack” (or DoS Attack) by flooding the websites with a high level of traffic.

Imagine a shop that typically deals with 500 customers a day. If I wanted to disrupt business at this shop, I might tell 10,000 people to all visit the shop at once. Naively you might think this is backwards and in fact great for business, but in reality the street outside the shop will become completely crammed, the shop will not be able to process more than a few customers, and their regular customers will be very unlikely to visit the shop. The important thing is that the shop is intact, there has been no illegal activity. no one has raided the till, and once the crowd disperses normal business can resume.

This is how a Denial of Service Attack works. A bunch of regular internet users are convinced to flood a target website with requests to such a degree that the legitimate users of the site are unable to communicate with it. It is not a sophisticated attack, and can be undertaken effectively by only a few hundred users running software that automatically makes requests to the website as fast as possible.

At no point has anyone accessed the internal workings of the website in question.

To my mind this activity is no more serious than a picket outside a workplace.

Bank Account “Hacking”

I assume when you say “what they could do to people’s bank accounts”, you’re implying that this same “Anonymous” group could gain access to a bank account and redirect the funds. I would like to dispel this notion.

Firstly: to my knowledge there have been no instances of an internet banking security breach in New Zealand. That is: no one has successfully obtained access to a bank account by bypassing the standard login security.

Typically, bank account “hacking” is undertaken using what we call “social engineering”. That is: getting a user to divulge their access details though social interactions, whether that be forged emails, viruses, physically watching their keyboard, or even direct interaction. Once those details are obtained, of course a criminal could log in using the details and extract funds. History tells us that this activity is almost exclusively the domain of organised crime, and almost always from foreign actors.

In Conclusion

I hope you can see from my explanations above that the activity we have witnessed regarding National Party websites and bank account “hacking” are worlds apart. The former in no way proves the latter, as you stated.

Conflating the two does nothing to advance discussion around how we can embrace or enable legitimate online protest while also dealing with illegal activity in an increasingly connected world.

Yours Sincerely,

Ben Gracewood

22 Replies to “An Open Letter to Judith Collins”

  1. While I certainly agree that providing more information on how websites are taken offline is worthwhile, and read the tweet being responded to as pretty lazy scaremongering…

    The part of the analogy where “there has been no illegal activity” makes it an ill fit for me. My understanding is that a denial of service attack breaches section 250 of the Crimes Amendment Act 2003 by causing a computer system to “deny service to any authorised users”.

    Don’t get me wrong, it’s not a tactic I’m against, but I think it’s a step above a workplace picket… and a little more like flashmobbing the neighbourhood the business is in, given the impact it can have on innocent businesses which may share hosting with the target.

    1. Yeah I thought about that a bit Josh, and it’s a tricky area.

      Ultimately I think there needs to be some way to allow online protest. Tricky to know where it will be.

      1. Absolutely agree that there needs to be some way to allow online protest… and I’m probably more ethically flexible than many in not being especially upset by a bit of collateral damage in pushing a site of the net. If I buy shared hosting, I’m expecting a little downtime.

        For me, the main thing that I’d like people (especially our legislators) to come away from this with is an understanding of the relative danger presented by each of the types of people the “hacker” label can apply to. The person who can empty your bank account by whistling down the phone line at the right frequency is not the same person who is going to (more or less) refresh your website over and over to say that they don’t like it.

    2. There have definitely been no illegal actions here if the method to disable the sites were DoS.

      The only reprehensible actions here have been done by the Govt with the GCSB, screwing with our employment laws (Warner Bros), the introduction of their anti-democratic policies and their overall attack on the beneficiaries and the less wealthy in our society.
      And to top it off they’ve sensationalised and lied about it all the way through

    3. Online it is typical for smaller web servers to be unable to gracefully handle large amounts of traffic.

      There is even a term known as “Slashdotting” which is when the popular technology website Slashdot.org links to a website which can result in a melt down. https://en.wikipedia.org/wiki/Slashdot_effect

      Given that it is quite possible that a link on Slashdot or another high trafficked can cause an outage on a large number of websites hosted in New Zealand without the faintest notion of criminal intent is our law a little out dated?

      A reverse DOJ/Megaupload situation could be interesting;
      1) setup low powered web server in New Zealand
      2) get link to web page hosted on said web server put onto Slashdot
      3) wait for the high traffic to bring the web server to it’s knees, thereby “denying service to any authorised users”
      4) Try extradite the CEO of Slashdot and it’s board of directors to New Zealand for violating Section 250 of NZ’s Crimes Amendment Act 2003

  2. Ben for Prime Minister…no…seriously 🙂
    Well written, easy to read, easy to understand.
    Even Judith should get it.
    Bless

  3. I would also clarify that the political ideology of the concept of “Anonymous” is specifically far more focussed around political statements and a form of protest, and I am not aware of Anonymous specifically targeting bank accounts.

    The fact that this has become an issue of interest for Anonymous to me tends to indicate that this is a reasonably serious matter.

    I love the post Ben – really well explained. Possibly a bit of background regarding Anonymous might be educational for Judith as well?

  4. Hi Ben,
    I appreciate the sentiments and would agree that the general level of technical understanding among our less-than-esteemed leaders is pretty abysmal, and off the cuff uninformed comments like Judith’s are misleading and unhelpful.

    Hacktivism is a growing and interesting phenomenon.

    A couple of thoughts though.

    1) Under the Crimes Act, Section 250, a denial of service attack is most definitely illegal and punishable with up to 7 years imprisonment.

    DoS attacks (and in particular DDoS attacks) are not necessarily harmless either. Most modern network equipment and firewalls can deal with simple ping or syn floods, but more sophisticated DoS attacks can attack further up the application stack, with nasty consequences. Not to mention that DDoS attacks are not usually sourced from volunteers. Botnets consist of unaware Trojan-infected zombies. Which is neither harmless nor legal.

    Also, given that these types of targeted sites are often on shared hosted platforms, the innocent can get taken down as well. (For example, if IRD and Maritime S&R shared a hosting provider, a DoS on IRD online services could get really ugly, really fast)

    2) I haven’t yet seen any technical evidence of the actual nature of the attacks. A DoS attack is not a bad guess, but is kind of a shotgun approach. It could as easily have been a targeted attack against something like a WordPress vulnerability. We shall watch developments with interest.

    3) Let’s face it, quibbling over the precise definition of ‘hacking’, ‘cracking’ and ‘hackers’ is something that only matters to geeks. For lots of reasons, to the public at large the terms have become synonymous with breaking into computers illegally and messing with stuff. We aren’t going to change that; for the majority it’s become the de facto definition.

    4) While banking system hacks are relatively rare, there have been some pretty large scale thefts of credit card and other personal data from online services that were most definitely the result of targeted intrusions, rather than isolated social engineering.

    5) ‘Anonymous’ is more a trope than an identity. Plenty of activities attributed to Anonymous have political motives, but it’s not a formal organization with a set membership and agenda. Sometimes people involved have been implicated in other loose groups (LulzSec for example) and have done things for obscure reasons, not necessarily altruistic ones.

    Having said all that, I doubt the 4 or 5 regular patrons of Simon Power’s site were terribly inconvenienced. I’m sure his mum has his cellphone number. 🙂

    1. With regards to 2), my original suspicion was that someone else had noticed that (last I checked, months ago) most of the National-related websites were running unpatched versions of Serendipity which had a couple of services vulnerable to SQL injection.

      But there were some comments from Anon NZ about how “only national.org.nz survived the attack” and news reporting that”The websites would remain offline until National patched its web servers or withdrew the bill and apologised to those it had affected, including Kim Dotcom, Anonymous said.” which, to me, supported it being DoS.

      1. Could be. We shall see.

        It is reasonably difficult to maintain a DoS for a sustained period though.

        If patching is likely to fix it, then that would also support the vulnerability angle.

  5. Wow, I had to read that tweet from Judith Collins twice to make sure it said what I thought it did. Technology ignorance aside,no self-respecting lawyer would use such flawed logic. Surely she didn’t tweet this herself?

  6. You took the time to write out a beautifully calm response whereas I was left laughing and sort of scared at the fact this woman is supported by a few to be New Zealand’s next PM/leader of the National Party.

  7. The question isn’t really what people perceptions are but whether those can, as the Minister has cynically tried to do, be exploited to justify further diminution of NZ Citizens civil rights via the proposed amendments to the GCSB bill.

    Similarly, people are seemly being led to confuse the National Party with Government.

    The relevant section of the crimes act sec 250 you refer to is, I think, Sec 250 (2) (c) (ii) “deny service to any authorised users.”

    However may I point out that section 250 of the Crimes Act 1961, which was substituted, on 1 October 2003, by section 15 of the Crimes Amendment Act 2003 (2003 No 39), and further amended by the Crimes Amendment Act 2011.

    Although the definitions clause (248) defines Access, it doesn’t define ‘Service’, for the purposes of the Act, nor does section 250.

    Also argument may be given as to what constitutes an authorized user, as the act interpretations clause only says “authorisation includes an authorisation conferred on a person by or under an enactment or a rule of law, or by an order of a court or judicial process”.

    Does “authorised users” here just refer to those users included in a defined systems administrated permissions group, or if a general open access website any member of the public (and thus Anonymous) constitutes an authorised one.

    Especially bearing in mind section 252 Accessing Computer System without Authorisation, subsection (2) “To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.”

    So do DoS attacks constitute abuse of access by and of authorised users, as would say locking their accounts or changing their passwords?

    Moreover, is access to an open access website the same as access to a closed computer system, since most websites are demarked as outside of the former expressly in order to prevent unauthorised access to it?

    But it all begs the real question. As most active protest has at one time or another been illegal, or has since become so, whether or not the level of controversy dictates only that new forms of protests that are effective should become illegal thereby leaving only those effectively marginalised or officially sanctioned as not.

    Also relevant to consider is whether or not the crown wants to push the technical fact against the sensitivities of the public.

    For example the Crimes Act, section 123, also says

    123 Blasphemous libel

    (1) Every one is liable to imprisonment for a term not exceeding 1 year who publishes any blasphemous libel.

    There are many bloggers and journalists who violate this section on a daily basis, but when did we see the last prosecution?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.