First State Super shoots the security messenger?
Patrick Webster reported a security vulnerability in First State Super’s web site which allowed any member to read any other member’s personal details.
The flaw allowed any logged in member to access other member’s statements by changing a single digit in their browser’s URL bar.
Although First State initially thanked Webster for the information, they later filed a complaint which sent police to Webster’s home at night, locked his own super account, threatened to recover from him the costs for dealing with the breach, and demanded he give them access to his computer.
Having such a vulnerability doesn’t show a superlative level of software development competence or auditing thoroughness, but security is hard and things slip through even the best organizations. My superannuation (retirement savings) is with First State, and while I wouldn’t leave them for having the vulnerability, I am seriously considering leaving because of their ham-fisted handling of the disclosure. FyberOptic paraphrases it as:
“Oh thank you sir for finding my wallet! Now please let me search your house to make sure you didn’t take anything of mine.”
and Troy Hunt says in his open letter to First State:
This is a particularly irrational and unreasonable response to someone whose intent was clearly to ensure the safety of your customers and the integrity of your reputation… the message [First State has] sent clearly says it is better to leave vulnerable software exposed and at risk of truly malicious activity than it is to privately and [responsibly] inform those who have failed in their duty to properly secure it in the first place.
I can appreciate that Pillar, FSS’s trustee, are in a difficult position when they know that sensitive private customer data has been exposed. We should also remember that someone who does report a vulnerability can’t be immediately assumed to have a totally white hat.
Patrick Gray from risky.biz managed to get a good phone interview (mp3) with FSS’s CEO Michael Dwyer.
The key mistakes FSS seems to have made here are:
- Examining Webster’s computer to “prove the files have been deleted” is risible: if Webster wanted to retain the files he could trivially have copied them to another machine or to a USB stick, especially since he’s been given prior warning the search may take place. This is either deep cluelessness, harassment, or a fishing expedition. Webster stated in his initial email that the files had been deleted, and that’s all the proof they’re likely to get.
- By threatening or (mildly) harassing Webster, they don’t reduce the chances that other vulnerabilities will be discovered, only the chance that other vulnerabilities will be reported to them. Account holders ought to bear in mind this makes FSS very slightly more risky than it would otherwise have been, and all Australian financial institutions more risky than they could be.
- Lawyers generally bias towards an aggressive claim-the-moon position: it’s the business’s responsibility to strike the right balance and saying this was “policy” or “legal advice” is a cop-out. Possibly they would have done better contacting an experienced computer security lawyer, rather than one whose experience seems to be on the financial side.
risky.biz draws a comparison to Google’s system of rewards and recognition for people who report vulnerabilities. Webster did go beyond what is allowed in that program by downloading the records of many other members while demonstrating the flaw, but based on Google’s handling of security so far I think they would have taken a more balanced view.
It was my money and personal information at stake and what I would have liked to see is: thanks to Webster; whatever reporting is legally appropriate; and a serious audit for both previous unauthorized access, and currently open vulnerabilities.
I’m motivated to leave partly because I don’t like giving money to jerks, partly because I don’t want to support a policy that makes internet security worse, and also because I’m concerned that when future holes in First State are discovered, they’ll be exploited before they are reported.
First State, like other industry super funds, has good low fees and reliable returns, due to being not-for-profit and spreading costs across many members. (The definition of “not for profit” is not entirely clear when both the investments and administration are outsourced, but the fees are low anyhow.) First State’s customer service is only mediocre: statements arrive three months after the close of the financial year (what are they doing?) and their phone operators have never seemed particularly well informed. Generally speaking it’s hard to beat industry super funds for value-for-money, though they do also tend to also have slightly whiffy connections to the union old-boy network. Sadly the best reason to stay would be pessimism anyone else is any better.
updates:
FSS have reached an agreement with Webster and will not be taking legal action against him, though they’re still apparently chasing the mirage of proof that data has been deleted.
The NSW privacy commissioner is investigating FSS:Any client where there was a potential for their data to be compromised should be advised,” said McAteer
Asher Moses at the SMH also writes:
First State Super CEO Michael Dwyer said yesterday that there was no evidence that anyone other than Webster had gained unauthorised access to customer accounts. But several computer security consultants who are paid by companies to test their networks, speaking on condition of anonymity, said they highly doubted First State kept logs or had the ability to definitively check either way.
FSS say the statements were in PDF format and were viewed by the person responsible
but from other descriptions of the event this seems unlikely. On Webster’s and media accounts the statements were downloaded but (mostly?) not viewed. There’s a difference; FSS’s sloppiness here is again unimpressive.
Windows 7 visual noise
I just started up Windows 7 from the dual-boot partition of my new Thinkpad X201 (which is mostly running Ubuntu, of course.)
The amount of visual noise in the default browser window is really pretty shocking, for a release that’s supposed to be about giving a clean experience:
- Five different fonts.
- Two Bing search fields, with different icons.
- Two controls with different icons to email the page.
- Jarring misalignment between the controls.
- Four different button decoration styles: rounded borders, no borders, square borders, and jelly-style round buttons.
- Some icons are nearly-monochrome and some are brightly coloured without this conveying any information.
- Two different divider styles: sloping s-curves vs raised dots.
- If you press Alt, everything in the window jumps around as the menu bar appears.
Not great.
duplicity SSL performance to Amazon S3
I just rediscovered (and may now try to fix) duplicity bug 433970, which is basically pointing out that using SSL to talk to Amazon S3 within duplicity gives you about 6x less sustained throughput than using plain http. It’s quite an interesting result, and potentially has some consequences for Launchpad, which serves just about everything over ssl and is not as fast as one might like.
Using SSL is a bit redundant because the duplicity backups are typically gpg-encrypted anyhow. I think, without this, the worst exposure would be that people on the network between you and S3 could see that you were using duplicity, the bucket name, and the timestamps of your previous backups.
I’m not sure what the actual cause is, and it may not be directly comparable to lp. I certainly see a lot of upstream traffic as, I suppose, the client does SSL-level synchronization. It may well be something about this particular implementation either on the client or Amazon side.
Bazaar 2.1 retrospective
bzr 2.1 retrospective on the list; it’s been a really good cycle and I feel much more in flow.
Subunit Tribunal
I’ve been hacking recently on Tribunal and I’m very excited about what can be done here.
Tribunal, started ages ago by jml, was a graphical viewer for Python or Twisted test runs: you give it a class name, it runs the tests in it, and tells you which ones failed.
Some new and exciting things have been happening recently in pyunit-friends: a cluster of cooperating libraries and tools to improve testing in Python. In particular, subunit, is a generic protocol for serializing/externalizing test results (similar to and convertable to/from junitxml).
A test result serialization protocol enables several interesting things (transparent remote distributed test runs) and one of them is a GUI for test results that is able to
- be well isolated from the process under test
- save, load, and compare historic test runs — never worry again about unreproducible test failures
- run and inspect tests in any language or on any platform, or tests run on one or several remote machine
- click to edit or re-run a test
- find interesting or similar failures
Anyhow, that’s the idea, but it’s early days. As of the now, the trunk branch can read subunit output from a pipe or a file and filter the results.
I’m planning to rip out much of the existing code, keeping the concepts, and keeping the ability to run python or twisted tests as a a mode.
higher velocity in losing your luggage
I’m in Terrassa, Spain, for the Canonical allhands meeting before UDS Karmic.
I brought my motorcycle helmet with me as special-handling checked luggage, for a ride around here next weekend. I think it missed the connection in London, but it showed up today apparently unharmed so all is well.
But as it happens I read a great Malcolm Gladwell essay which mentions this topic in passing — a real example of how we can take stupid inefficient processes for granted when they’ve existed for a long time:
Ranadivé [founder of TIBCO] views this move from batch to real time as a sort of holy mission. The shift, to his mind, is one of kind, not just of degree. “We’ve been working with some airlines,” he said. “You know, when you get on a plane and your bag doesn’t, they actually know right away that it’s not there. But no one tells you, and a big part of that is that they don’t have all their information in one place. There are passenger systems that know where the passenger is. There are aircraft and maintenance systems that track where the plane is and what kind of shape it’s in. Then, there are baggage systems and ticketing systems—and they’re all separate. So you land, you wait at the baggage terminal, and it doesn’t show up.” Everything bad that happens in that scenario, Ranadivé maintains, happens because of the lag between the event (the luggage doesn’t make it onto the plane) and the response (the airline tells you that your luggage didn’t make the plane). The lag is why you’re angry. The lag is why you had to wait, fruitlessly, at baggage claim. The lag is why you vow never to fly that airline again. Put all the databases together, and there’s no lag. “What we can do is send you a text message the moment we know your bag didn’t make it,” Ranadivé said, “telling you we’ll ship it to your house.”
It would be nice if the steward could come up during the flight, tell me my bag hadn’t made it, and then ask for my hotel details to deliver it. It would have saved most of an hour waiting at the airport. (And if you count all the passengers waiting in line with their travel companions, several person-days just for that one flight…)
Ross Gittins on the Carbon Pollution Reduction Scheme conundrum
Ross Gittins explains why the draft Carbon Pollution Reduction Scheme legislation seems stuck: Labor doesn’t have the votes in the Senate without either the Greens (who won’t compromise), or the Liberals (who don’t know what they want) or the Nationals (“agrarian populism”).
Rudd’s initial proposal was purpose-built to be irresistible to the Coalition. It adopted the lowest possible go-it-alone emissions reduction target – 5 per cent – and a pathetically low 15 per cent reduction in the event of an international agreement in Copenhagen in December.
It accommodated the demands of business lobby groups to an extent Rudd’s own expert, Professor Ross Garnaut, found repugnant. … Rudd offered the Coalition a scheme little different to the one it took to the last election (both schemes having been designed by the same bureaucrats). What was Malcolm Turnbull’s reaction? Nothing doing. He rejected it, contriving to claim it was simultaneously too weak and too tough.
Clive Hamilton in Crikey believes that Labor could force it through the Senate if they had the balls. I don’t know. Maybe there is some brinksmanship here in the hope the Greens will at the last minute see high but realistic targets as a lesser evil, or that the power struggle in the Liberals will resolve.
The climate-skeptical position of the Nationals, though apparently firmly set, is bizarre to me, because their rural consistency may suffer more than anyone else from climate change. The few farmers I know personally are firmly convinced, because they have to adapt to changing temperatures and rainfall by destocking land or growing new crops.
Stephen Conroy’s facile argument for the NBN
According to The Australian, Communications Minister Stephen Conroy says:
The national broadband network could significantly reduce Australia’s carbon footprint and cut consumers’ power bills. Consumers connected to “smart grids” via the $43 billion network will pay less for electricity through a more efficient use of power, also reducing the need for more power generators, he said.
What a silly statement, and sadly quite consistent with his slippery handling of the internet filtering fiasco.
Smart grids, where power consuming devices gain information about conditions through the network, have a useful role to play in improving energy efficiency. A plugin hybrid could preferentially recharge itself when power is coming from a wind source, and avoid recharging from peak-load gas turbines. (It’s a shame about the multi-thousand-dollar tariffs on hybrid cars to protect foreign-owned Aussie V8 manufacturers, but never mind.)
However the connection to a new national broadband network is, as far as I can see, completely spurious. The end-user devices need to share only small amounts of data fairly infrequently, to basically tell them the current price of power. Prototype smart grids run as a sideband on the power line itself, and the data would be an unnoticeable addition to the common 1Mbps data connection. Upgrading to 20-100Mbps as proposed for the NBN is not going to help at all. Many things need to be done to deploy a smart grid but building a new broadband network is not one of them.
If Conroy’s concerned about the environment he ought to consider the hefty power consumption of filtering all Australian internet traffic. He hasn’t given a straight answer on just how much filtering he proposes to do, but the great-firewall-of-China style filtering he sometimes alludes to would mean hundreds or thousands of servers, therefore probably hundreds of kilowatts and tons of CO2.
The Economic Consequences of the Peace
I read John Maynard Keynes’s The Economic Consequences of the Peace on my flight to London. It was written in about 1920 and constitutes Keynes’s criticism of the economic aspects of the Treaty of Versailles, which imposed demands for reparations from Germany so irrationally high that they would likely ruin not only Germany but all Europe.
I had learned of this issue of reparations in high school history, but had imagined the instability was caused by German resentment of the payments. In fact, the amounts were set so high that even after seizing much of Germany’s shipping, railroads, and private citizen’s assets there was still no prospect they could ever be paid off.
The book is very readable – clear, well argued on both moral and intellectual grounds, lively. It’s quite tragic to contemplate how much suffering in the 20s, 30s, and 40s might have been avoided had his message been heard at the time. His essential point was that if Europe was to recover it must do so collectively, by imposing only moderate reparations and promoting trade and economic growth. He is scathing towards almost all the political leaders of the time.
On the other hand, von Mises wrote ‘it is said that [the book] inaugurated the anti-French and pro-German tendencies of Great Britain’s “appeasement” policy which virtually encouraged the rise of Nazism, permitted Hitler to defy the essential clauses of the Treaty of Versailles and finally resulted in the outbreak of the Second World War’. I don’t know if this is fair, but I intend to read more. It does seem that Keynes forsaw that a treaty making physically impossible demands must fail one way or another.
On any day you can turn on the TV and see a Nazi documentary — in some places they seem to run continuously — but rarely much thoughtful explanation of how that situation arose.
What an extraordinary episode in the economic progress of man that age was which came to an end in August, 1914! The greater part of the population, it is true, worked hard and lived at a low standard of comfort, yet were, to all appearances, reasonably contented with this lot. But escape was possible, for any man of capacity or character at all exceeding the average, into the middle and upper classes, for whom life offered, at a low cost and with the least trouble, conveniences, comforts, and amenities beyond the compass of the richest and most powerful monarchs of other ages. The inhabitant of London could order by telephone, sipping his morning tea in bed, the various products of the whole earth, in such quantity as he might see fit, and reasonably expect their early delivery upon his doorstep; he could at the same moment and by the same means adventure his wealth in the natural resources and new enterprises of any quarter of the world, and share, without exertion or even trouble, in their prospective fruits and advantages; or be could decide to couple the security of his fortunes with the good faith of the townspeople of any substantial municipality in any continent that fancy or information might recommend. He could secure forthwith, if he wished it, cheap and comfortable means of transit to any country or climate without passport or other formality, could despatch his servant to the neighboring office of a bank for such supply of the precious metals as might seem convenient, and could then proceed abroad to foreign quarters, without knowledge of their religion, language, or customs, bearing coined wealth upon his person, and would consider himself greatly aggrieved and much surprised at the least interference. But, most important of all, he regarded this state of affairs as normal, certain, and permanent, except in the direction of further improvement, and any deviation from it as aberrant, scandalous, and avoidable. The projects and politics of militarism and imperialism, of racial and cultural rivalries, of monopolies, restrictions, and exclusion, which were to play the serpent to this paradise, were little more than the amusements of his daily newspaper, and appeared to exercise almost no influence at all on the ordinary course of social and economic life, the internationalization of which was nearly complete in practice.
….Thus this remarkable system [before the War] depended for its growth on a double bluff or deception. On the one hand the laboring classes accepted from ignorance or powerlessness, or were compelled, persuaded, or cajoled by custom, convention, authority, and the well-established order of Society into accepting, a situation in which they could call their own very little of the cake that they and Nature and the capitalists were co-operating to produce. And on the other hand the capitalist classes were allowed to call the best part of the cake theirs and were theoretically free to consume it, on the tacit underlying condition that they consumed very little of it in practice. The duty of “saving” became nine-tenths of virtue and the growth of the cake the object of true religion. There grew round the non-consumption of the cake all those instincts of puritanism which in other ages has withdrawn itself from the world and has neglected the arts of production as well as those of enjoyment. And so the cake increased; but to what end was not clearly contemplated. Individuals would be exhorted not so much to abstain as to defer, and to cultivate the pleasures of security and anticipation. Saving was for old age or for your children; but this was only in theory,–the virtue of the cake was that it was never to be consumed, neither by you nor by your children after you.
Project team blogs
I’m thinking about setting up a Bazaar group blog, separate from blog.sourcefrog.net. As of Friday the 27th, a site is up, in the sense that you can read it, but not yet announced (beyond this article). It’s still a bit of an experiment.
Within one person’s personal syndicated chronological publishing (ie “blogging”, broadly), there are different strains. The tension towards those different strains may be one reason why people have tended to go quiet, or to feel a sudden agoraphobia at how widely their person thoughts are read or personal photos reproduced.
It’s more subtle than a binary private/public switch, and a simple password or even openid is not enough. It’s more than technical.
At the moment there’s a proliferation of different web-based tools in use: twitter, identi.ca, facebook, flickr, personally-run blogs, dopplr, planets. It’s not just that they’re just technically imperfect that’s causing the fragmentation (though repeatedly getting semi-spammed invites is tedious), but also that they provide genuinely different forums. There are some things that are not secret but personal and more appropriately shared with people you know; some that are personal opinions but that you’re happy to share with anyone; some that are about projects like Bazaar that are personal but that are also bigger than just me.
A project team blog seems too to becoming one of the channels that people expect to have.
People tend to raise the question of whether this will just dilute the same amount of writing across multiple channels. It might, and there does seem to be a critical level of activity for a blog beyond which it’s not alive. On the other hand, now that there’s more syndication that level may be lower: infrequent posts will still pop up. But I also suspect that creating a place where a particular type of content feels really at home will create positive feedback.
For instance, Gary van der Merwe just made a nice improvement to the revision selector control in qbzr, using the layout originally invented by Scott for bzr-gtk. I like this, and I’d like to express that approbation in public but I don’t want my sourcefrog blog mostly occupied by neat bzr features because I have other things to say.
