To Hon. Judith Collins, MP
I was interested to read your recent twitter posting regarding this morning’s “Anonymous” attacks on National Party websites:
So anti-GSCB hackers have closed down Government MPs websites proving what they could do to people's bank accounts.
— Judith Collins (@JudithCollinsMP) July 29, 2013
I know the tech community can get very shrill and accusatory around these things, but I do want to give you some technical information that might allow you to take a different view on this, and understand that various types of activity labelled “hacking” are not at all related.
I think the best way to provide this information is to break down the parts of your tweet into various explanations. I’m completely open to further clarifications on the points below, and welcome any questions. I think it is incredibly important that our legislators are informed on these subjects, because it is inevitable that a majority of our commercial interactions will move online over time.
“Hackers” is an very poorly defined term. Sometimes it can refer to people that like to tinker with electronics. It can also refer to criminals who genuinely break (or attempt to break) security on systems that they do not have permission to access.
In this particular case, it is more than likely that the group involved is nothing more than a loose affiliation of unskilled (or a mix of skilled and unskilled) internet users from New Zealand and elsewhere.
When you say “anti-GSCB hackers have closed down Government MPs websites” it leads me to think that you believe the people involved have some sort of access to the website systems and have used this to “turn off” the web sites, or components of the sites.
The more likely scenario is that the group involved have undertaken what we call a “Denial of Service Attack” (or DoS Attack) by flooding the websites with a high level of traffic.
Imagine a shop that typically deals with 500 customers a day. If I wanted to disrupt business at this shop, I might tell 10,000 people to all visit the shop at once. Naively you might think this is backwards and in fact great for business, but in reality the street outside the shop will become completely crammed, the shop will not be able to process more than a few customers, and their regular customers will be very unlikely to visit the shop. The important thing is that the shop is intact, there has been no illegal activity. no one has raided the till, and once the crowd disperses normal business can resume.
This is how a Denial of Service Attack works. A bunch of regular internet users are convinced to flood a target website with requests to such a degree that the legitimate users of the site are unable to communicate with it. It is not a sophisticated attack, and can be undertaken effectively by only a few hundred users running software that automatically makes requests to the website as fast as possible.
At no point has anyone accessed the internal workings of the website in question.
To my mind this activity is no more serious than a picket outside a workplace.
Bank Account “Hacking”
I assume when you say “what they could do to people’s bank accounts”, you’re implying that this same “Anonymous” group could gain access to a bank account and redirect the funds. I would like to dispel this notion.
Firstly: to my knowledge there have been no instances of an internet banking security breach in New Zealand. That is: no one has successfully obtained access to a bank account by bypassing the standard login security.
Typically, bank account “hacking” is undertaken using what we call “social engineering”. That is: getting a user to divulge their access details though social interactions, whether that be forged emails, viruses, physically watching their keyboard, or even direct interaction. Once those details are obtained, of course a criminal could log in using the details and extract funds. History tells us that this activity is almost exclusively the domain of organised crime, and almost always from foreign actors.
I hope you can see from my explanations above that the activity we have witnessed regarding National Party websites and bank account “hacking” are worlds apart. The former in no way proves the latter, as you stated.
Conflating the two does nothing to advance discussion around how we can embrace or enable legitimate online protest while also dealing with illegal activity in an increasingly connected world.