Hawks investigate City of Joburg billing website security issue

hyperian

Expert Member
Joined
Apr 17, 2008
Messages
1,846
I'd be interested to see how much the city paid for the system in question, and who the vendor was. How can no one pick up on the fact that query string parameters could be modified freely by the user?

Don't suppose anyone here has tried SQL-injecting the site?
 

House

Banned
Joined
Aug 17, 2006
Messages
5,482
I'd be interested to see how much the city paid for the system in question, and who the vendor was. How can no one pick up on the fact that query string parameters could be modified freely by the user?

Don't suppose anyone here has tried SQL-injecting the site?
Right now that would not be a good idea. I am sure they already spent a few million more on upgrading their security and logging. But, I suspect you are right.
 

Paul Hjul

Honorary Master
Joined
Aug 31, 2006
Messages
14,902
Like I stated before, if the COJ presented these logs more people would have been investigated. More would have been charged. They are unable to present this and they only opened a case against Magicdude alone.

In short, they are basing all their evidence on the fact that he identified the problem, reported it to them and also made the whole method public on how the statements can be viewed. In fact, the whole case is based on the post here on MyBB.

Like I said before, there is only one charge they can bring which has the potential of a successful conviction - The ECT Act - Section 86(1) - and that was exactly the case they opened. There still exist the possibility of a successful conviction, irrelevant of security on their server, bad coding, or whatever else. The best here would be to try and get the case withdrawn before going to court.
Nope no chance of a conviction that will stand up on appeal NONE. In fact the chances of a High Court judge upholding the charge is 1 to 10 000.

O and I am pretty sure that the scope of trolling is strong on this one but in the event that some moron is stupid enough to take this matter into court it will help to present the trove of posts as evidence of malicious prosecution.
 

j4ck455

Executive Member
Joined
Jan 2, 2006
Messages
5,274
I want to open a criminal negligence case against CoJ, I just need to know what acts and clauses CoJ has violated by failing to secure my personal details. Some helpful suggestions would be nice.
 

DJ...

Banned
Joined
Jan 24, 2007
Messages
70,288
If they really have opened a case against magicdude then it's time for a counter suit. I'd like to institute a "class action" suit against coj for failure to protect private information that can be used now for criminal purposes.

What's good for the goose.

Intimidation through the courts is absolutely despicable. And that's all that this is. It should not be tolerated and shouldn't be accepted by any computer literate person.

Can the legal eagles advise on the best foot forward in this respect? Surely they can't be the only ones with leverage? After all, they were the ones who failed to protect the information in the first place...
 

froot

Honorary Master
Joined
Jun 2, 2009
Messages
11,329
@DJ... spoke to a lawyer and said that nevermind a counter-suit, even with the ECT act with which you can be charged, there is still the requirement of malicious intent, even if it's not explicitly stated in the act - as with most crimes. If someone decides to try and prosecute, the judge might just laugh it out of court.
 

DJ...

Banned
Joined
Jan 24, 2007
Messages
70,288
Irrespective. They're trying to bully someone into submission via the courts. For their own incompetence. That is not something that people should just sit back and watch to play out.

I find it an absolutely horrendous abuse of tax payer money to begin with. So not only do we have our personal information compromised due to coj's incompetence, but we must pay as tax payers for them to attempt an absurd lawsuit against the guy who tried to bring it to their attention.

As tax payers we are the brunt of this all. We shouldn't have accepted coj's incompetence to begin with. Are we just going to stand around and watch them waste more of our money trying to prosecute the guy who actually deserves praise for bringing this all into the public eye?

Bullschit. You fight fire with fire. You don't roll over and hope that everything works out for the best in the end...
 

The_Unbeliever

Honorary Master
Joined
Apr 19, 2005
Messages
103,199
Not to derail, but can it be argued that the new POPI act is unconstitutional as it allows government institutions off the hook when your data have been compromised due to negligence on said institution's part?
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Couple of points:
- One should ask the question why COJ has not disclosed any information on how they will prevent the data leak and what corrective actions are taken. Aside from making rate-payers information publicly available, there seems to be still no ETA on resolution.
- The COJ is not wasting tax-payer money as much as now keeping expert skills within commercial crimes busy with a case like this (I think there are more important issues to investigate)
- Accountability is shifted and clouded via a laughable criminal case in order to distract from the actual problem (note that nowhere in the media any investigation is done around why data is leaked, who is responsible and what actions are taken)
- Although it is made out as a criminal case, it is really all about politics and lack of governance in their IT and tender process. A court case with expert (technical) witnesses will make this visible for the broader public.
- No entity or political party (DA?) seems to have any knowledge or experience with IT related legislation. POPI and ECT are poorly drafted and in due course it will be proven that those acts are incapable standing up in court. Those acts are drafted one-sided, and hardly provide any level of fairness protecting both parties (POPI excludes government, ECT is not very explicit)

The most surprising realisation I came to is, that anyone like the COJ can go on and open a criminal case resulting in huge inconvenience for the accused (not just financially but also reputationally) and there will be hardly any recourse. It is just the nature of how the South African legal system works. Be it as it may - we are at a point where those accusations need to be defended.

I had my discussion with my legal team. We have been in contact with the investigating officer of commercial crimes and await feedback from them. I am the only one mentioned in the "complaint" (I am not referring to charges, as I have not been charged) and we still lack proper visibility of the actual content of the complaint. We are unsure if they Hawks will respond to our query or if they will refer to the prosecutor instead. We also have no idea how long such (if any) response will take.

I also think that many on this thread have actually more inside-information than I have ;-).
 

Brewmaster

"That guy"
Joined
Oct 10, 2005
Messages
5,167
MagicDude, while it's always interesting to receive updates from your point of view, didn't your legal people tell you to keep quiet? "They" might be watching and developing strategies based on information that you're posting.

Unless of course your lawyers know this and your strategy is to throw them off somehow, in which case, carry on.
 

Tracer

Well-Known Member
Joined
Dec 9, 2010
Messages
210
I also think that many on this thread have actually more inside-information than I have ;-).
Just hang in there.

While this is true, and I know who you are referring to, they do know the processes and some are actually on your side trying to help you - although it may not look like that.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
MagicDude, while it's always interesting to receive updates from your point of view, didn't your legal people tell you to keep quiet? "They" might be watching and developing strategies based on information that you're posting.

Unless of course your lawyers know this and your strategy is to throw them off somehow, in which case, carry on.
There is no need to be quiet as what has happened has been pretty transparent from the beginning. We have been very pro-active and transparent about this event and I do not see any reason to stop. We do believe that the case being with Hawks/CCU is with the most capable people in SAPS to deal with cases of such technical nature.
 

House

Banned
Joined
Aug 17, 2006
Messages
5,482
@DJ... spoke to a lawyer and said that nevermind a counter-suit, even with the ECT act with which you can be charged, there is still the requirement of malicious intent, even if it's not explicitly stated in the act - as with most crimes. If someone decides to try and prosecute, the judge might just laugh it out of court.
You can tell your lawyer that the malicious intent will simply serve as mitigation and will not take away the offence that was committed. The fact that no malicious intent was present will surely help keeping a person out jail, but the conviction will not be set aside. The criminal record afterwards is the biggest problem.
 
Last edited:

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Well, I took a scenic trip into town last week, met the Hawks, had a chat and then left. Was a pleasant experience (aside from having to drive into the CBD which was horrid). Hawks investigator was nice (but I feel sorry for their offices - looks very dreadful and lifeless). I know what will happen, and how it will go, but you guys will unfortunately have to wait for it to unravel.

I also know that it's now more than 4 weeks and I still can't access my statements online and was greeted with the error message below yesterday afternoon for almost 1 hour. CoJ has been dreadfully quiet and whoever their IT service-provider is, is also taking their sweet time to fix this.

coj-eservices.jpg
 

House

Banned
Joined
Aug 17, 2006
Messages
5,482
Well, I took a scenic trip into town last week, met the Hawks, had a chat and then left. Was a pleasant experience (aside from having to drive into the CBD which was horrid). Hawks investigator was nice (but I feel sorry for their offices - looks very dreadful and lifeless). I know what will happen, and how it will go, but you guys will unfortunately have to wait for it to unravel.

I also know that it's now more than 4 weeks and I still can't access my statements online and was greeted with the error message below yesterday afternoon for almost 1 hour. CoJ has been dreadfully quiet and whoever their IT service-provider is, is also taking their sweet time to fix this.

View attachment 72741
Glad to hear that there are at least some progress.

Yes, the investigating officers are not bad at all. They are very understanding and also have sufficient knowledge to deal with these matters. And, yes, their offices in Eloff street do look dreadful, but the building was donated by Business Against Crime, and the Commercial Crimes Court are located there as well, so I think that they will be there for some time.

I do not know why, but I have a slight suspicion that the COJ is keeping the system down on purpose to show some losses incurred. However, I could be wrong and their services provider is unable to correct the problems identified. If this is the case, they may well be busy redesigning the whole system.
 

Nerfherder

Honorary Master
Joined
Apr 21, 2008
Messages
24,571
Glad to hear that there are at least some progress.

Yes, the investigating officers are not bad at all. They are very understanding and also have sufficient knowledge to deal with these matters. And, yes, their offices in Eloff street do look dreadful, but the building was donated by Business Against Crime, and the Commercial Crimes Court are located there as well, so I think that they will be there for some time.

I do not know why, but I have a slight suspicion that the COJ is keeping the system down on purpose to show some losses incurred. However, I could be wrong and their services provider is unable to correct the problems identified. If this is the case, they may well be busy redesigning the whole system.
They don't generate income from that site so they can't claim losses.

Also they took it down so can't claim that some one else is responsible for it being down.

lastly... it was functioning before they took it down so thats also not a valid reason to claim, and they still need to prove that some one made the hole in their security.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
.... and their services provider is unable to correct the problems identified. If this is the case, they may well be busy redesigning the whole system.
I hope no-one is waiting for me to fix anything, because I am rather busy at the moment....
 
Top