Category: News

To Hon. Judith Collins, MP

Hello Judith

I was interested to read your recent twitter posting regarding this morning’s “Anonymous” attacks on National Party websites:

So anti-GSCB hackers have closed down Government MPs websites proving what they could do to people's bank accounts.

— Judith Collins (@JudithCollinsMP) July 29, 2013

I know the tech community can get very shrill and accusatory around these things, but I do want to give you some technical information that might allow you to take a different view on this, and understand that various types of activity labelled “hacking” are not at all related.

I think the best way to provide this information is to break down the parts of your tweet into various explanations. I’m completely open to further clarifications on the points below, and welcome any questions. I think it is incredibly important that our legislators are informed on these subjects, because it is inevitable that a majority of our commercial interactions will move online over time.

Hackers

“Hackers” is an very poorly defined term. Sometimes it can refer to people that like to tinker with electronics. It can also refer to criminals who genuinely break (or attempt to break) security on systems that they do not have permission to access.
In this particular case, it is more than likely that the group involved is nothing more than a loose affiliation of unskilled (or a mix of skilled and unskilled) internet users from New Zealand and elsewhere.

“Closed Down”

When you say “anti-GSCB hackers have closed down Government MPs websites” it leads me to think that you believe the people involved have some sort of access to the website systems and have used this to “turn off” the web sites, or components of the sites.
The more likely scenario is that the group involved have undertaken what we call a “Denial of Service Attack” (or DoS Attack) by flooding the websites with a high level of traffic.

Imagine a shop that typically deals with 500 customers a day. If I wanted to disrupt business at this shop, I might tell 10,000 people to all visit the shop at once. Naively you might think this is backwards and in fact great for business, but in reality the street outside the shop will become completely crammed, the shop will not be able to process more than a few customers, and their regular customers will be very unlikely to visit the shop. The important thing is that the shop is intact, there has been no illegal activity. no one has raided the till, and once the crowd disperses normal business can resume.

This is how a Denial of Service Attack works. A bunch of regular internet users are convinced to flood a target website with requests to such a degree that the legitimate users of the site are unable to communicate with it. It is not a sophisticated attack, and can be undertaken effectively by only a few hundred users running software that automatically makes requests to the website as fast as possible.

At no point has anyone accessed the internal workings of the website in question.

To my mind this activity is no more serious than a picket outside a workplace.

Bank Account “Hacking”

I assume when you say “what they could do to people’s bank accounts”, you’re implying that this same “Anonymous” group could gain access to a bank account and redirect the funds. I would like to dispel this notion.

Firstly: to my knowledge there have been no instances of an internet banking security breach in New Zealand. That is: no one has successfully obtained access to a bank account by bypassing the standard login security.

Typically, bank account “hacking” is undertaken using what we call “social engineering”. That is: getting a user to divulge their access details though social interactions, whether that be forged emails, viruses, physically watching their keyboard, or even direct interaction. Once those details are obtained, of course a criminal could log in using the details and extract funds. History tells us that this activity is almost exclusively the domain of organised crime, and almost always from foreign actors.

In Conclusion

I hope you can see from my explanations above that the activity we have witnessed regarding National Party websites and bank account “hacking” are worlds apart. The former in no way proves the latter, as you stated.

Conflating the two does nothing to advance discussion around how we can embrace or enable legitimate online protest while also dealing with illegal activity in an increasingly connected world.

Yours Sincerely,

Ben Gracewood

TL;DR: How do you get five elephants into a mini?

I said last week that there’s no way I could build a school payroll system without error. Neither could you. Together though, we could get pretty damn close.

The elephant thing is funny, but strikes at the root of the issue: we need to ignore the elephant. Please excuse me while I flog a dead metaphor for a little while:

• We had a pretty cool elephant. It was big and hairy, occasionally left giant steaming turds around the place, and was really handy at moving logs around. 
• Someone decided the elephant was a bit old, even though it still got the jobs done.
• A replacement elephant was created, but the creators thought the trunk was for squirting water, not shifting logs, so it wasn’t strong enough to do the jobs we need it to do.  They then set about engineering a cybernetic augmented trunk system to strengthen the trunk.

A key issue with Novopay, and the school payroll system in general, along with many other huge black-box IT projects (yeah, I’m looking at you, $1.5bn+ IRD replacement system), is the approach of replacing the system as a whole. Forget about the elephant, let’s look for a system of interconnected components that – as a whole – gets us to where we need to be. Perhaps they end up looking like an elephant, or maybe a forklift, but that’s irrelevant.

In the case of Novopay, what are the core problems that need to be solved? Rather than tender for a complete system, we would be much better off if the Ministry of Education tendered for a “Teacher’s Payroll Calculation Component”. This would be defined as taking a set of inputs (tenure, contract details, tax period, hours worked), and emitting outputs (gross and net pay, tax, Kiwisaver, holidays accrued). The inputs and outputs of course have to be implemented in a transparent, open manner: REST would make developer’s lives easiest, but as long as it’s well-defined and not some proprietary binary format, who cares?

Those of you immunised against pragmatism will be having convulsions right now. “But, but, where does the data come from? Where is it stored? What about security and archiving? This is only a tiny piece of the problem!”.

I’m not saying calculating a single pay run is an easy task. On the contrary it sounds incredibly complex. But by breaking this one component out separately we can do so many things:

• TEST this component against the existing systems. Throw some really hairy combinations at it and make sure the outputs are correct and identical to the existing system. Create those as automated test cases that we run daily and verify output.
• INTEGRATE with this component in any way we think is appropriate. Let 1,000 data entry systems bloom. Want to write a pay calculation front-end for Palm Pilot? Here’s the API and security model, go to town.
• SECURE this component by ensuring that only teachers and schools (and other components of the larger system) with appropriate access can get at it.
• IMPLEMENT this component against the existing system by delegating the single task of calculation to this component using its API. Ding! You’ve just removed a dependency on the huge project.
• REPLACE this component if it sucks. You know the API, you have the test cases you need to achieve: if you think you can do better, go write me a new one.

But wait! I hear you saying, what about storing teacher details, historical pay runs, transferring money to bank accounts? Ben! You’re lying to us. We need to spend more money on Big IT!

It’s ok, just relax and keep slicing away at that elephant. Contract to build a “Teacher Information Storage System”. Define the fields you need to store, the security with which it needs to be stored, and the interfaces it needs to expose (surprise! one of those probably matches perfectly with the payroll calculation inputs).

The other obvious upside is you can approach each component as a best-of-breed system. Rather than using fucking Oracle Forms for user input, you could contract the front-end data entry to a talented web development studio, safe in the knowledge that they won’t be out of their depth having to code payroll calculation.

What’s more, if one particular implementation (or implementer) really sucks (ahem Talent2), then the damage is limited to the one component they are working on, not the entire system.

You get my drift? At no stage have I said this will save money. It probably will, but even if it doesn’t the end result is a well-defined set of interconnected components, all of which could be replaced individually.

There is of course a gigantic problem with my approach: everyone working on the systems, teachers, the Ministry, all the way down to coders, would need to collaborate openly and honestly. Bummer.

When I read “Police use drones to catch criminals“, I know it’s intended as a scary headline, but I just can’t get worked up about it.

You need to decipher a little jargon in the categories at Hobby King. RTF / PNF / ARF? It makes more sense if you know these mean “Ready to Fly”, “Plug-n-Fly” and “Almost Ready to Fly”. For example, this category lists the various multi-rotor vehicles that require only a few minutes of work to be up and flying.

The copters on that page range from tiny toys that have nowhere near the grunt to lift any sort of camera, through to this beast:

[box]The ZeroUAV YS-X6 autopilot is a tremendous flight controller system for multi-rotor aircraft supporting Android/IOS and PC systems, providing excellent auto-navigation, target lock, self-leveling and position/altitude holding. It is designed for both professional and hobby applications in commercial and industrial platforms.[/box]

Perhaps more interesting is this feature: Click any point on the Google Earth map on your ground station based smartphone or tablet and the YS-X6 will get your multi-rotor there.

Click any point on the Google Earth map on your ground station based smartphone or tablet and the YS-X6 will get your [drone] there.

The point I’m making is that this “scary drone” functionality is within reach of anyone with a small amount of cash. The US$1999 price is steep, but with a bit of research and coding you could build a similar platform for half the price. Is this a problem? Maybe.

I’ve been flying RC aircraft for more than 10 years. I presumed it was a highly technical hobby, requiring hours of practice at special clubs, official memberships, and arcane technical knowledge. Then I met a bunch of nice guys throwing cheap foam planes off Mt Wellington, here in Auckland. Over the next few months I learnt all the basics of RC flying, and – with an initial input of about $500 – was up and flying with my own glider.

Fast forward 10 years, add a huge amount of innovation in battery technology (yay Lithium Polymer!), electric motors (yay brushless!), and now I can send $100 to China and have a brand new electric model plane on my doorstep in a week. These planes are small, agile, and flyable in your local park.

With costs this low and technology moving so fast, it was inevitable that hobbyists would take it to the next level. It started with sticking small, cheap cameras on their planes. Perhaps to record the flight and grab some aerial shots of your house. The next step was a down-link from that camera, with cheap 2.4GHz wireless video links boosted by amplifiers and large antennas.

Now we are firmly in the age of the “FPV” or “First Person View” hobby flying. Yes, Hobby King has a category for that too.

The question is, where do you draw the line between “hobby” and “omfg that’s scary”? Take this video for example. Is that Afghanistan or Iraq? Neither, it’s just some guys testing the range of their FPV hobby plane out to 7.4 km. It only looks sinister because we’ve been trained that the grainy view with an information overlay means we’re about to see an explosion and bodies flying.

The only real issue here is whether the fliers know their local airspace and laws, have a working air-band radio to listen to nearby planes, and have an autopilot and recovery plan if things go wrong. I’d like to give them the benefit of the doubt, but the proliferation of long-range FPV flying means there are guaranteed to be some cowboys.

When I read “Police use drones to catch criminals“, I know it’s intended as a scary headline, but I just can’t get worked up about it. The use of hobby aircraft as described is just a logical evolution of technology. It’s no different to Police using their full sized helicopter to watch a drugs bust, or the local council using aerial photography to help with their surveys.

What do you think? Are you ok with police using drones in their work? What about some random guys flying out of your local cricket ground?