Applying PID loops to the Government

sdfsdfsdfsdf By evan on Apr 29, 2018

I was debating politics at 3 AM while roaming around downtown after AtlSecCon, and made a point that I think is worth fleshing out. The issue of elected senators came up, and whether they should be elected, how long the term should be, or if they should continue to be appointed.

Canada is a representative democracy; that is, we elect leaders who represent us in parliament. The government should in theory at any given time want the same thing as the average Canadian. The problem is, the average Canadian is a moving target. Personally, as a group, provinces, no matter how you split it up, beliefs, opinions, and information change. System control theory and political science are clearly at two entirely opposite ends of the academic spectrum but I made an analogy to PID loops that I think holds up.

A perfect democracy would vote on an issue per issue basis but that’s unfeasible for many reasons. Aside from manpower, there’s an episode of the Orville that both implements it, and scares the hell out of me, so it’s probably a bad idea. Let’s just assume that’s not happening. Instead, we elect members of parliament to represent us, roughly on geographical and cultural lines, and for a four-year term.

Senators are considered the “sober second thought.” They are appointed by the political party of the day and remain in that position until death. The question was, should senators also be elected? A lot of people have an issue with life appointments and the idea that unelected people should have the power to stop bills from becoming law. I would argue the opposite.

A PID loop is an algorithm for ‘holding an output to a specific value.’ The most common example is that of cruise control; the system manages the throttle to hold the vehicle at the desired speed. It even has to compensate for various things like driving up a hill or coasting down the other side. Just like how the government should reflect the average Canadian, even if popular opinion changes all of a sudden. It smooths out the transition.

PID loops have 3 parts: The Proportional, the Integral, and the Derivative. All three of these have different effects on the output.

The first thing you do is find the error. How far off are we? Just take the difference between the target and the current value. The PID acts on this error.

The proportional gain, or P, affects the output as a multiplier. If we’re off by 10 km/h, and the P gain is 0.1, then the speed will be adjusted by 1km/h every time the loop runs. It’s relatively slow, but effective. The problem with proportional control is the overshoot. Generally, with process control, you want the output to be close to the desired value at all times, and doing so requires a high gain. Let’s say the gain was 10, we’re doing 110km/h, and we want to be going 100km/h: The car would go from 110km/h, to 100km/h, but keep going down to 90km/h before the control loop had a chance to react. Then it will shoot back up to 110, back down to 90, and so on. It’s called an “undampened oscillation.” Obviously, that’s a bad thing. That also looks suspiciously like a government with no senate. Laws could be written, enacted, and repealed every 4 years. This would be like driving a car, but only slamming the brakes or flooring it. It’s not a comfortable ride. The country would have large swings in policy and law every time election comes around. Cruise control is likely preferable.

The integral, or I, in a PID loop effectively takes the average difference of the previous values, and uses it to dampen the output. You can think of it like the shock absorber in a car’s suspension. The car would bounce up and down without dampening. Instead of going from 110 to 100 to 90 and back, we go from 110 to 102, to 99, to 100, and then stay there. My argument is that the Senate is the integral.

Derivatives are rarely used in process control so let’s leave that out for now. We could model the Governor General as a derivative gain of 0, rubber stamping the law except under exceptional circumstances.

Since we model the parliament as a proportional gain, it is clear that the most effective way to maintain the output is to model the Senate after integral control. That is, get to the median quick, and hold there. Instead of throttling speed, it’s re-centering to match the average Canadian’s position on the political spectrum. Clearly politics is at least 2 dimensional (authoritarian vs libertarian, and economic left vs economic right) and this can be applied to both independently.

My immediate concern with elected senators is that they can no longer be modelled by an integral. If they can also change based on the whims of voters, then they simply become another proportional gain, albeit with longer terms My issue with this is that the output won’t necessarily settle in the middle. It would almost certainly have ‘resonant frequencies.’ When people vote for an MP, they’re likely to vote for a Senator on party lines. Officially, senators don’t have party affiliations anymore. Unofficially, they’re tribal creatures like the rest of us.

My point is, we need a damper, and I’m not sure if we can have that if Senators can be tossed out because the public disagrees with them. Once Senators are appointed, they can’t be removed by the government of the day, just as the proportional gain has no effect on the integral gain. They’re able to vote on their own, without a caucus to force their hand, and without the threat of elections.

Just as the integral looks at the previous speeds on the car, the Senate is representative of the government, historically, at various points over the last 30-40 years. A government appoints senators that align with their values at the time.  The longer ago they were brought in, the less they affect the average. In my opinion, it’s nearly a perfect analogy to PID loop control. A car would be undrivable with two proportional gains, and I worry if we remove life terms, that we’re going to go off the rails.

Regarding the Freedom of Information “hack”

sdfsdfsdfsdf By evan on Apr 12, 2018

Update:

There is now a legal defence gofundme started by one of the CanSecWest organizers. Please donate what you can. This is a very important case, the government can’t be allowed to get away with this.

CBC has granted the teenager anonymity, but Jack Julian has a very good report on what happened from the teenagers point of view. 

/Update

Nova Scotia’s FOIPOP web service, much to the chagrin of reporters, has been unavailable for the better part of a week. Ironically, not much information has been provided on why. Today HRP and the Minister of Internal Affairs announced the web service had been “compromised” and a suspect was in custody. I’ll leave coverage of the subsequent political posturing to the news media, and instead focus on the actual attack and the implications this case has for security research in general.

The FOIPOP Webservice

Before I get into the details, I should explain what the provincial FOIPOP web service is and how it works.

It is a government-owned, subcontractor-run portal to pay for and receive FOIPOP reports. As a citizen, or as a reporter, you can pay $5 fee, and get access to government documents, from the normal course of their business, that are by and large considered to be public. In fact, there is a law, the Freedom of Information and Protection of Privacy Act that ensures those records are available to the public, with some restrictions. Those restrictions largely surround personal information. For example, I can request information about a project, but not about a person unless that person is me (or has given permission.)

Let’s get an idea of the scope of this breach. According to Global News,

On April 6, Unisys informed the province that between March 3 and March 5 more than 7,000 documents  were accessed and downloaded by a “non-authorized person.”

The province says that 250 of the documents contain highly sensitive personal information such as birth dates, addresses and social insurance numbers.

This implies there were 6750 documents that did not contain “highly sensitive” personal information and 250 that did.

As Tim Bousquet at the Halifax Examiner reported:

Part of my routine for writing Morning File is to daily check various government websites for new activity — provincial and federal tender offers, orders in council, and the Freedom of Information Office’s disclosure log.

That last is a bit of reporting theft — we reporters can see what each other has been working on, as the FOI office posts the disclosures given to other reporters two weeks after they’ve been released. More importantly, citizens can use the site to easily make their own Freedom of Information requests, pay the $5 application fee, track their requests, get an electronic record when the information is released, and like reporters do, look at other releases.

Considering 6750 of the documents did not contain “highly sensitive” personal information, and were therefore literally published publically by the government, that would imply to me that the actual scope of the breach is limited to 250 records.

The Attack

An unnamed 19-year-old man from Halifax (I’m calling him Mr. Big) was arrested, interrogated, and charged yesterday in relation to a “breach of a provincial government network” and was subsequently charged with “Unauthorized Use of Computer” which carries a penalty up to 10 years. As Deputy Minister Jeff Conrad told Global News

“There’s no question, this was not someone just playing around”

It would appear the government is not “playing around” either considering this charge carries the same maximum sentence as both rape, and creating child pornography.

We’ve established that 250 records were “highly sensitive,” the question is how did Mr. Big retrieve them? Surely the provincial government does it’s best to protect “highly sensitive” documents from hackers. Right?

The Exploit

I wish I could say the exploit was advanced. That it was complicated, that it was novel, or new; That the province simply had no chance against this bastion of elite hacker skills. The problem is I can’t even call it an exploit with a straight face. Ernie and Bert probably explain best.

The way the documents are stored is simple. They’re available at a specific URL, which David Fraser, a Halifax-based privacy lawyer, was happy to provide:

https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=1234

Document number 1235 is stored at https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=1235.

Guess where document 1236 is stored? This is not a new problem. In fact, it was recognized over a decade ago as one of the top ten issues affecting web application security. All Mr. Big had to do is add.

The software is manufactured by a company called CSDC Systems. As CBC reports;

“This is an isolated incident and no other CSDC products or customers have been impacted,”

I was able to find several American cities using the same software, and they all work the same. That would imply the system is working as designed. I believe them when they say the issue is isolated to NS because this is not an issue with the software but how it’s use by the province.

https://eservices.iowa.gov/PublicPortal/Iowa/IBON/common/display_attachment.jsp?AttachmentRSN=2908
https://lic.ok.gov/PublicPortal/OAB/common/display_attachment.jsp?AttachmentRSN=392874

These two sites are very interesting, because they use the same software, but are in a subfolder called “PublicPortal.” We’ll get back to that.

You can find them yourself, simply google “inurl:attachmentRSN”. Try it out, and you’ll notice the first few results are from none other than foipop.novascotia.ca.

I later found the same URL on the NS NDP website. The link doesn’t currently work as the province took the system down. That being said, Google was able to index and cache, several FOIPOP requests. This document specifically, number 7433, appears to have all contact information redacted, which imply it’s one of the ones explicitly posted for public consumption and representative of 6750 of the 7000 files.

To be crystal clear, Google able to access and continues to host several of the same documents Mr. Big is facing charges over.

The Charges

What are the actual charges? From the Canadian Criminal Code (emphasis mine):

Unauthorized use of computer
342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service;
(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a
(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c).

In order to secure a conviction, the crown would have to prove beyond a reasonable doubt that the access was fraudulent.

Just as this isn’t a new problem, it’s not the first time it’s been before the courts. There are two very high profile cases.

The first, Aaron Swartz, the inventor of RSS downloaded millions of journals from a server at MIT.

“Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. Attorney’s office and at MIT contributed to his death,” his family said.

Sadly, he killed himself while being railroaded by the US justice system.

The second, Andrew Aurenheimer,  was not only charged but convicted of an offence under the US Computer Fraud and Abuse Act. This exploit was almost identical to the FOIPOP issue at hand.

After being sentenced to 3 years in prison, and serving part of it, Aurenheimer’s case took an interesting turn. It was overturned by the US Court of Appeals.

It gets even more interesting, because according to the EFF (emphasis mine)

 Although it did not directly address whether accessing information on a publicly available website violates the CFAA, the court suggested that there may have been no CFAA violation, since no code-based restrictions to access had been circumvented.

The Defense

The question remains, was the access fraudulent?

Remember what I said about the other installations being called “PublicPortal”? And how 6750 of the 7000 records were public anyways, and how this system is literally designed for facilitating “access to information?” Looking at it further, there are no authentication mechanisms, no password protection, no access restrictions. It’s very clear that the software is intended to serve as a public repository of documents.

It’s also very clear that there at least 250 documents improperly stored there by the province. Documents that the province had a responsibility to protect, and failed.

Mr. Big asked for a document, the server returned it, as it’s supposed to. Then asked for them all, and unluckily for him, 250 of the 7000 were “confidential.” He didn’t even try to hide, apparently having been traced by his IP address.

Was that access fraudulent? It’s for the courts to decide, but I would argue no.

Had this system been audited, or looked at by any reasonably competent security professional, this would have been fixed before it became national news and an embarrassment to the province.

An interesting question to consider; was Mr. Big even the only one to discover the flaw? From Global News:

“The employee was involved in doing some research on the site and inadvertently made an entry to a line on the site – made a typing error and identified that they were seeing documents they should not have seen,” Deputy minister Jeff Conrad told a technical briefing.

The government’s official position is that the flaw just happened to be rediscovered last week by a miscellaneous staffer. Apparently, when they raised the issue, the technical team discovered Mr. Big in the logs from a month prior.

They haven’t announced charges against the staffer, so presumably, they don’t consider that manipulation to be “fraudulent.”

Disclosure Theory

I have personally disclosed a vulnerability to the Province of Nova Scotia before, about 2 days before CBC picked up the story of a Russian website broadcasting webcam videos of children in a public school. It was surprisingly difficult to find someone to disclose it to. No one was willing to talk about it, or knew who should handle it. I eventually, via a friend at shared services, got in touch with someone who would take the report. They took it very seriously once the news broke.

To be clear, this is speculation, but it isn’t an unreasonable theory that Mr. Big disclosed the vulnerability to the province. Clumsily maybe, but I honestly believe they tried. I don’t buy the story that the province conveniently happened to discover the breach because someone else noticed the exploit a few weeks later. The system had been in place for over a year and a half, so the timing is suspect at best.

I believe the province failed in their responsibility to protect the data and is now railroading Mr. Big to cover it up.

Since the system is literally designed to serve public documents, the solution to this problem is likely to be costly. It’s easier for the department to blame someone than take responsibility.

In Conclusion

The use of the “Unauthorised Access” statute given the events that appear to have occurred is appalling. The province’s strategy so far has been to cover this up, and when they couldn’t keep it under wraps, bust down some kids door, interrogate him and seize his computers. The charges grossly outweigh the alleged offence, and arguably there was no offence.

I’m disgusted with both HRP and with the crown prosecutors office, for this display of Americanized justice.

If this kid broke the law, so did Google, let alone the giant issue this creates for the information security industry. If discovering a vulnerability can open you up to the same legal liability as manufacturing child pornography, suffice it to say that nothing will ever get disclosed again. Most people aren’t about to risk 10 years in prison to let the province or anyone else know somethings broken. This is generally recognized as a bad thing, weakening security across the board.

Putting confidential documents on a server designed to serve said documents to the public shows a clear lack of judgement, training, and understanding of the software and processes at hand. I think it’s abundantly clear that the blame lies at the feet of the province.

H2FPTF Hackers and green digital computer writing

 

Halifax: we have a problem

sdfsdfsdfsdf By evan on Aug 27, 2017

I was curious about something the other day. Little did I know how far the rabbit hole would go. I was mostly wondering about Halifax vs “Other places I’d consider living” so left out Calgary, Vancouver, and a few others. They still came in above Halifax.

To be clear, I’m not looking at leaving immediately. That being said, I have no doubt that the next time I’m looking for a job, it won’t be here.

Using data from Numbeo and Glassdoor I compared “Senior Software Developer” salaries vs cost of living for a bunch of major cities in Canada. We’re number two from the bottom.

It turns out one of the best places to live as a software dev is Sydney. It may seem surprising, but they have a ridiculously cheap cost of living (you can literally buy a house for under 50k; see here, here, and here.) Though their salaries are amongst the lowest… proportionally it’s on par with Kitchener-Waterloo. Also they have FTTH. If you’re working from home you’re one of the most well situated devs in the country.

The best overall by a wide margin is Ottawa. I haven’t dug into why that’s the case yet. I assume Government jobs, but I know they do have their share of tech businesses (shopify, etc.)

The equivalent salary column is most damning. You’d have to make slightly more in Toronto and St Johns to come out even. It’s an instant raise to move to any other city.

Sure Toronto’s rent’s higher. But when we’re paying more in taxes, in utilities, on food, and everything else.. it’s a 5% difference overall. It’s actually cheaper to live in our nations capital.  Even taking into account the cost of flying the family home every few months.. it’s a massive difference in disposable income (on average) to move. I have to assume this is causing massive damage to the local tech sector.

To be fair, tech salaries have come up in Halifax over the past few years. I know one person who specifically cited that as a reason for staying. I’m sure there are a lot of reasons for the overall increase, I tend to attribute a lot of it to an implied cap on tech startup salaries that was dealt with a couple years ago.

Had I run these numbers 10 years ago, I’d have moved to Ontario in a heartbeat. Had I run them 5 years ago, I’d have stayed there. How many people already did? We hear about people moving “out west” to the oil fields. The new buzzphrase is “Data is the new oil” and I have a feeling nothing’s changed.

I used to joke that our largest export is young people. It’s not a joke anymore. I hear about the “tech labour shortage” all the time. No one can find people. Recruitment is impossible. Well, I think the issue is clear. There’s two ways to solve it: Drastically cut taxes and utility costs (ha!), or increase salaries by 10 to 20%. The latter happens to be a solution to at least 1/4 of the issues raised by the Ivany Report.

Ran the same numbers for the “average permanent hourly wages” from statscan for the same list of cities. That’s a reasonable proxy for “an average full time job” Halifax is actually at the very bottom. The rest of the list doesn’t change that much, other than Sydney going to the top. That’s the cheap housing again.

Let me know if you have comments or better sources for the data I used. I’m just presenting it as is, if there’s better data I’d love to use it.

Assigning Blame Accurately

sdfsdfsdfsdf By evan on May 09, 2017

As a followup to the last articles; CBC has today published a new take on the security camera incident at a Cape Breton School last week.

“We are actually going to be sending letters and reaching out the manufacturers in the very near future,” said Jennifer Rees-Jones, a senior advisor at the Office of the Privacy Commissioner of Canada.

The office wants all manufacturers to make devices that require users to change the default password when they plug the surveillance camera in. It also said the boxes the cameras come in should have strongly worded warnings about the privacy risks if the device is not secure.

These simple steps would make Canada a world leader in IoT security. They’re not without precedent though; in March of this year, a California Senator introduced a cyber-security bill. 

As WCSR reported just last month; the bill would require manufactures to design devices in such a way that they will

– … indicate to the consumer when it is collecting information
– obtain consumer consent (presumably through some form of user interface) before the device collects or transmits information

CBC spoke with experts again;

“Some of them have very strong security. Some have no security at all. Some have very weak and hackable security settings,” said Robert Currie, director of the Law and Technology Institute at the Schulich School of Law at Dalhousie University.

Tom Redford of Wilson’s Security in Dartmouth said … “If it’s just left at factory default, you’re leaving yourself susceptible to being hacked,” he said.

The default is transmit, with no password, and no authentication. It’s working as designed.  To call it a “hack” implies those viewing the public feed are at fault.

Redford suspects a lack of passwords may be to blame.

The lack of passwords is an issue, and was certainly relevant. The question is why were there no passwords? The user manual for the device in question recommends setting a password and protecting the video feed.

If the device had defaulted to password protected, as the Office of the Privacy Commissioner of Canada requested in 2015; this may not have been an issue.

Nova Scotia’s privacy commissioner and the Cape Breton-Victoria Regional School Board have launched investigations into how the security camera was left open to the internet.

School officials have not revealed the results of their inquiry, but are calling it an “isolated incident.”

From discussions with another school board; It appears likely that a hole was explicitly opened in the schools firewall to allow it through. That would imply there was a conscious decision to make the cameras available publicly.

I strongly recommend reporters dig a bit deeper on this issue. For example;

  • Who requested the cameras?
  • For what purpose?
  • Who requested they be available publicly?
  • Did the IT department read the manual, and make appropriate recommendations?
  • If they did, were they overruled, and if so, by whom?
  • Who’s responsibility is the security of the devices attached to the network?

Kijiji Unsold Plugin

sdfsdfsdfsdf By evan on Aug 04, 2014

kijiji_logo1I’ve been getting pretty frustrated with kijiji recently. One thing that keeps coming up is people writing “sold” in the title rather than actually deleting the ad. Why? I have no idea. Perhaps they think people (more…)