An open letter to Judith Collins about government website 'hacks'

To Hon. Judith Collins, MP

Hello Judith,

I was interested to read your tweet regarding the recent “Anonymous” attacks on National Party websites:

I know the technology community can get very shrill and accusatory around these things, but I want to give you some technical information which may allow you to take a different view on this and understand that various types of activity labeled “hacking” are not at all related.

The best way to provide this information is to break down your tweet and explain it in parts.  I’m completely open to further clarification on the points below and welcome any questions. It is incredibly important that our legislators are informed on these subjects, because it is inevitable that a majority of New Zealand's commercial interactions will move online over time.

"Hackers"

Hacker is a very poorly defined term. Sometimes it can refer to people who like to tinker with electronics. It can also refer to criminals who genuinely break (or attempt to break) security on systems that they do not have permission to access.

In this particular case, it is more than likely that the group involved is nothing more than a loose affiliation of unskilled (or a mix of skilled and unskilled) internet users from New Zealand and elsewhere.

“Closed Down”

When you say “anti-GSCB hackers have closed down Government MPs websites” it leads me to think that you believe the people involved have some sort of access to the website systems and have used this to “turn off” the web sites, or components of the sites.

The more likely scenario is that the group involved has undertaken what we call a denial of service attack (DoS) by flooding the websites with a high level of traffic.

Imagine a shop which typically deals with 500 customers a day. If I wanted to disrupt business at this store, I can tell 10,000 people to all visit the shop at once. Naively you may think this is backwards and in fact great for business, but in reality the street outside the shop will become completely crammed, the shop will not be able to process more than a few customers and its regular customers will be very unlikely to visit. The important thing is that the shop is intact, there has been no illegal activity – no one has raided the till and once the crowd disperses normal business can resume.

This is how a DoS attack works. A bunch of regular internet users are convinced to flood a target website with requests to such a degree that legitimate users of the site are unable to communicate with it. It is not a sophisticated attack and can be undertaken effectively by only a few hundred users running software that automatically makes requests to the website as quickly as possible.

The important point here is at no point has anyone accessed the internal workings of the website in question. To my mind this activity is no more serious than a picket outside a workplace.

Bank Account 'Hacking'

I assume when you say “what they could do to people’s bank accounts”, you’re implying that this same “Anonymous” group could gain access to a bank account and redirect the funds. I would like to dispel this notion.

Firstly, to my knowledge there has been no instance of an internet banking security breach in New Zealand – that is no one has successfully gained access to a bank account by bypassing the standard login security.

Typically, bank account “hacking” is undertaken using “social engineering” which involves tricking the user to divulge their access details though social interactions, whether that be forged emails, viruses, physically watching their keyboard, or even direct interaction. Once those details are obtained, of course a criminal could log in using the details and extract funds. History tells us that this activity is almost exclusively the domain of organised crime and almost always from foreign actors.

I hope you can see from my explanations above that the activity we have witnessed regarding the National Party websites and bank account “hacking” are worlds apart. The former in no way proves the latter, as you stated. Conflating the two does nothing to advance discussion around how we can embrace or enable legitimate online protest while also dealing with illegal activity in an increasingly connected world.

Yours Sincerely,

Ben Gracewood.

This article originally appeared on Ben Gracewood's blog.