I was debating politics at 3 AM while roaming around downtown after AtlSecCon, and made a point that I think is worth fleshing out. The issue of elected senators came up, and whether they should be elected, how long the term should be, or if they should continue to be appointed.
Canada is a representative democracy; that is, we elect leaders who represent us in parliament. The government should in theory at any given time want the same thing as the average Canadian. The problem is, the average Canadian is a moving target. Personally, as a group, provinces, no matter how you split it up, beliefs, opinions, and information change. System control theory and political science are clearly at two entirely opposite ends of the academic spectrum but I made an analogy to PID loops that I think holds up.
A perfect democracy would vote on an issue per issue basis but that’s unfeasible for many reasons. Aside from manpower, there’s an episode of the Orville that both implements it, and scares the hell out of me, so it’s probably a bad idea. Let’s just assume that’s not happening. Instead, we elect members of parliament to represent us, roughly on geographical and cultural lines, and for a four-year term.
Senators are considered the “sober second thought.” They are appointed by the political party of the day and remain in that position until death. The question was, should senators also be elected? A lot of people have an issue with life appointments and the idea that unelected people should have the power to stop bills from becoming law. I would argue the opposite.
A PID loop is an algorithm for ‘holding an output to a specific value.’ The most common example is that of cruise control; the system manages the throttle to hold the vehicle at the desired speed. It even has to compensate for various things like driving up a hill or coasting down the other side. Just like how the government should reflect the average Canadian, even if popular opinion changes all of a sudden. It smooths out the transition.
PID loops have 3 parts: The Proportional, the Integral, and the Derivative. All three of these have different effects on the output.
The first thing you do is find the error. How far off are we? Just take the difference between the target and the current value. The PID acts on this error.
The proportional gain, or P, affects the output as a multiplier. If we’re off by 10 km/h, and the P gain is 0.1, then the speed will be adjusted by 1km/h every time the loop runs. It’s relatively slow, but effective. The problem with proportional control is the overshoot. Generally, with process control, you want the output to be close to the desired value at all times, and doing so requires a high gain. Let’s say the gain was 10, we’re doing 110km/h, and we want to be going 100km/h: The car would go from 110km/h, to 100km/h, but keep going down to 90km/h before the control loop had a chance to react. Then it will shoot back up to 110, back down to 90, and so on. It’s called an “undampened oscillation.” Obviously, that’s a bad thing. That also looks suspiciously like a government with no senate. Laws could be written, enacted, and repealed every 4 years. This would be like driving a car, but only slamming the brakes or flooring it. It’s not a comfortable ride. The country would have large swings in policy and law every time election comes around. Cruise control is likely preferable.
The integral, or I, in a PID loop effectively takes the average difference of the previous values, and uses it to dampen the output. You can think of it like the shock absorber in a car’s suspension. The car would bounce up and down without dampening. Instead of going from 110 to 100 to 90 and back, we go from 110 to 102, to 99, to 100, and then stay there. My argument is that the Senate is the integral.
Derivatives are rarely used in process control so let’s leave that out for now. We could model the Governor General as a derivative gain of 0, rubber stamping the law except under exceptional circumstances.
Since we model the parliament as a proportional gain, it is clear that the most effective way to maintain the output is to model the Senate after integral control. That is, get to the median quick, and hold there. Instead of throttling speed, it’s re-centering to match the average Canadian’s position on the political spectrum. Clearly politics is at least 2 dimensional (authoritarian vs libertarian, and economic left vs economic right) and this can be applied to both independently.
My immediate concern with elected senators is that they can no longer be modelled by an integral. If they can also change based on the whims of voters, then they simply become another proportional gain, albeit with longer terms My issue with this is that the output won’t necessarily settle in the middle. It would almost certainly have ‘resonant frequencies.’ When people vote for an MP, they’re likely to vote for a Senator on party lines. Officially, senators don’t have party affiliations anymore. Unofficially, they’re tribal creatures like the rest of us.
My point is, we need a damper, and I’m not sure if we can have that if Senators can be tossed out because the public disagrees with them. Once Senators are appointed, they can’t be removed by the government of the day, just as the proportional gain has no effect on the integral gain. They’re able to vote on their own, without a caucus to force their hand, and without the threat of elections.
Just as the integral looks at the previous speeds on the car, the Senate is representative of the government, historically, at various points over the last 30-40 years. A government appoints senators that align with their values at the time. The longer ago they were brought in, the less they affect the average. In my opinion, it’s nearly a perfect analogy to PID loop control. A car would be undrivable with two proportional gains, and I worry if we remove life terms, that we’re going to go off the rails.
An open letter to the Premier and the Cabinet
By evan on
Apr 13, 2018
I’m writing to you, and Cabinet Members, regarding the FOIPOP issue that’s been in the news. Based on the emergency debate today, and your responses in question period, I think it’s very clear that you have all been briefed incorrectly at best, and lied to at worst.
The issue at hand is not that the server was “hacked,” or “breached.” A server meant for publishing public FOIPOP documents was used for publishing *all* FOIPOP documents. At it’s core, this is a very simple and likely accidental leak of confidential documents.
Is it a crime to download publicly disclosed documents, from a public server, run by the Freedom of Information department, with no authentication, with no security, and with no access control? The answer is simply no. To be clear, the 19-year-old kid did nothing wrong.
It’s clear this person was somewhat technical, having scripted the download process. If they had any malintent whatsoever, they would have made some attempt to hide their identity. The fact that they were arrested so quickly based on an IP address means they didn’t.
Comments were made that this person *must* have been looking for personal information. Why would anyone assume that 4% of the documents on a public server contain confidential information?
The province is not the victim here. The citizens who entrusted their personal information to the government are. The kid who was charged with an offence under the anti-terrorism act for archiving public documents is.
Your government made a mistake. A serious mistake, but a mistake nonetheless. That should have been the only story here. Unfortunately you have taken an absurd position, and by doing so committed a grave injustice. I’m calling on you, as public servants, to do the right thing and investigate this issue for yourself.
Nova Scotia’s FOIPOP web service, much to the chagrin of reporters, has been unavailable for the better part of a week. Ironically, not much information has been provided on why. Today HRP and the Minister of Internal Affairs announced the web service had been “compromised” and a suspect was in custody. I’ll leave coverage of the subsequent political posturing to the news media, and instead focus on the actual attack and the implications this case has for security research in general.
The FOIPOP Webservice
Before I get into the details, I should explain what the provincial FOIPOP web service is and how it works.
It is a government-owned, subcontractor-run portal to pay for and receive FOIPOP reports. As a citizen, or as a reporter, you can pay $5 fee, and get access to government documents, from the normal course of their business, that are by and large considered to be public. In fact, there is a law, the Freedom of Information and Protection of Privacy Act that ensures those records are available to the public, with some restrictions. Those restrictions largely surround personal information. For example, I can request information about a project, but not about a person unless that person is me (or has given permission.)
Let’s get an idea of the scope of this breach. According to Global News,
On April 6, Unisys informed the province that between March 3 and March 5 more than 7,000 documents were accessed and downloaded by a “non-authorized person.”
The province says that 250 of the documents contain highly sensitive personal information such as birth dates, addresses and social insurance numbers.
This implies there were 6750 documents that did not contain “highly sensitive” personal information and 250 that did.
Part of my routine for writing Morning File is to daily check various government websites for new activity — provincial and federal tender offers, orders in council, and the Freedom of Information Office’s disclosure log.
That last is a bit of reporting theft — we reporters can see what each other has been working on, as the FOI office posts the disclosures given to other reporters two weeks after they’ve been released. More importantly, citizens can use the site to easily make their own Freedom of Information requests, pay the $5 application fee, track their requests, get an electronic record when the information is released, and like reporters do, look at other releases.
Considering 6750 of the documents did not contain “highly sensitive” personal information, and were therefore literally published publically by the government, that would imply to me that the actual scope of the breach is limited to 250 records.
An unnamed 19-year-old man from Halifax (I’m calling him Mr. Big) was arrested, interrogated, and charged yesterday in relation to a “breach of a provincial government network” and was subsequently charged with “Unauthorized Use of Computer” which carries a penalty up to 10 years. As Deputy Minister Jeff Conrad told Global News
“There’s no question, this was not someone just playing around”
It would appear the government is not “playing around” either considering this charge carries the same maximum sentence as both rape, and creating child pornography.
We’ve established that 250 records were “highly sensitive,” the question is how did Mr. Big retrieve them? Surely the provincial government does it’s best to protect “highly sensitive” documents from hackers. Right?
I wish I could say the exploit was advanced. That it was complicated, that it was novel, or new; That the province simply had no chance against this bastion of elite hacker skills. The problem is I can’t even call it an exploit with a straight face. Ernie and Bert probably explain best.
The way the documents are stored is simple. They’re available at a specific URL, which David Fraser, a Halifax-based privacy lawyer, was happy to provide:
Document number 1235 is stored at https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=1235.
Guess where document 1236 is stored? This is not a new problem. In fact, it was recognized over a decade ago as one of the top ten issues affecting web application security. All Mr. Big had to do is add.
“This is an isolated incident and no other CSDC products or customers have been impacted,”
I was able to find several American cities using the same software, and they all work the same. That would imply the system is working as designed. I believe them when they say the issue is isolated to NS because this is not an issue with the software but how it’s use by the province.
These two sites are very interesting, because they use the same software, but are in a subfolder called “PublicPortal.” We’ll get back to that.
You can find them yourself, simply google “inurl:attachmentRSN”. Try it out, and you’ll notice the first few results are from none other than foipop.novascotia.ca.
I later found the same URL on the NS NDP website. The link doesn’t currently work as the province took the system down. That being said, Google was able to index and cache, several FOIPOP requests. This document specifically, number 7433, appears to have all contact information redacted, which imply it’s one of the ones explicitly posted for public consumption and representative of 6750 of the 7000 files.
To be crystal clear, Google able to access and continues to host several of the same documents Mr. Big is facing charges over.
What are the actual charges? From the Canadian Criminal Code (emphasis mine):
Unauthorized use of computer
342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service;
(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a
(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c).
In order to secure a conviction, the crown would have to prove beyond a reasonable doubt that the access was fraudulent.
Just as this isn’t a new problem, it’s not the first time it’s been before the courts. There are two very high profile cases.
“Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. Attorney’s office and at MIT contributed to his death,” his family said.
Sadly, he killed himself while being railroaded by the US justice system.
Although it did not directly address whether accessing information on a publicly available website violates the CFAA, the court suggested that there may have been no CFAA violation, since no code-based restrictions to access had been circumvented.
The question remains, was the access fraudulent?
Remember what I said about the other installations being called “PublicPortal”? And how 6750 of the 7000 records were public anyways, and how this system is literally designed for facilitating “access to information?” Looking at it further, there are no authentication mechanisms, no password protection, no access restrictions. It’s very clear that the software is intended to serve as a public repository of documents.
It’s also very clear that there at least 250 documents improperly stored there by the province. Documents that the province had a responsibility to protect, and failed.
Mr. Big asked for a document, the server returned it, as it’s supposed to. Then asked for them all, and unluckily for him, 250 of the 7000 were “confidential.” He didn’t even try to hide, apparently having been traced by his IP address.
Was that access fraudulent? It’s for the courts to decide, but I would argue no.
Had this system been audited, or looked at by any reasonably competent security professional, this would have been fixed before it became national news and an embarrassment to the province.
An interesting question to consider; was Mr. Big even the only one to discover the flaw? From Global News:
“The employee was involved in doing some research on the site and inadvertently made an entry to a line on the site – made a typing error and identified that they were seeing documents they should not have seen,” Deputy minister Jeff Conrad told a technical briefing.
The government’s official position is that the flaw just happened to be rediscovered last week by a miscellaneous staffer. Apparently, when they raised the issue, the technical team discovered Mr. Big in the logs from a month prior.
They haven’t announced charges against the staffer, so presumably, they don’t consider that manipulation to be “fraudulent.”
To be clear, this is speculation, but it isn’t an unreasonable theory that Mr. Big disclosed the vulnerability to the province. Clumsily maybe, but I honestly believe they tried. I don’t buy the story that the province conveniently happened to discover the breach because someone else noticed the exploit a few weeks later. The system had been in place for over a year and a half, so the timing is suspect at best.
I believe the province failed in their responsibility to protect the data and is now railroading Mr. Big to cover it up.
Since the system is literally designed to serve public documents, the solution to this problem is likely to be costly. It’s easier for the department to blame someone than take responsibility.
The use of the “Unauthorised Access” statute given the events that appear to have occurred is appalling. The province’s strategy so far has been to cover this up, and when they couldn’t keep it under wraps, bust down some kids door, interrogate him and seize his computers. The charges grossly outweigh the alleged offence, and arguably there was no offence.
I’m disgusted with both HRP and with the crown prosecutors office, for this display of Americanized justice.
If this kid broke the law, so did Google, let alone the giant issue this creates for the information security industry. If discovering a vulnerability can open you up to the same legal liability as manufacturing child pornography, suffice it to say that nothing will ever get disclosed again. Most people aren’t about to risk 10 years in prison to let the province or anyone else know somethings broken. This is generally recognized as a bad thing, weakening security across the board.
Putting confidential documents on a server designed to serve said documents to the public shows a clear lack of judgement, training, and understanding of the software and processes at hand. I think it’s abundantly clear that the blame lies at the feet of the province.