SANRAL E-TOLL WEBSITE VULNERABILITY

So despite the project bring implemented years after it was supposed to be, and despite their assurances that the system has been live in test mode for months, their most important data is years out of date?
What a joke.
 
ranger said:
Please see some of the other sanral threads in various sections of the forum. There have been some routing issues to SANRAL (on SANRAL's side) since around 30 Dec. Telkom Internet ADSL IPs were affected, but that is now fixed. Telkom Mobile has some IP blocks (at least 197.208/16) that are still affected. Afrihost/MTN's 105.237/16 was affected last time I checked. And, every website availability testing site I tried still shows it as down. It took about 4 days from when we reported it to their service providers to get access from Telkom Internet ADSL fixed.

Maybe when that gets to the news they will claim that they were hacked. Or trying to prevent hacking. When of course, it seems they don't understand routing much ...
Click to expand...

Well i'm not in ZA...

http://www.isup.me/www.sanral.co.za - still shows down.

When I try directly, and with a UK VPN no access...

Strangely when I try via a remote desktop in ZA, still no access (although that's on ADSL)

Anyhow, I heard from someone there was another Exploit they (sanral) closed a few months back - not quite so simple as this report but was again due to negligence/incompetence. Was a session hijack if I recall, so I am dead sure there are more to come...
 
OrbitalDawn said:
LOL, just saw this gem. Classic. :D
Click to expand...

Well, if there was any avenue, whatsoever to charge them criminally, don't you think JPSA, DA or Outa would have jumped at the opportunity already? Don't you think a member of MyBB would have laid charges?

Lol, try again :)
 
House said:
Well, if there was any avenue, whatsoever to charge them criminally, don't you think JPSA, DA or Outa would have jumped at the opportunity already? Don't you think a member of MyBB would have laid charges?

Lol, try again :)
Click to expand...

"No act any company can be charged with criminally"

http://www.timeslive.co.za/thetimes/2012/09/11/coal-mine-in-hot-water
http://mg.co.za/article/2013-01-08-mine-charged-with-radioactive-contamination
http://www.moneyweb.co.za/moneyweb-industrials/environmental-crime-business-as-usual-for-sa-compa
 
OrbitalDawn said:
"No act any company can be charged with criminally"

http://www.timeslive.co.za/thetimes/2012/09/11/coal-mine-in-hot-water
http://mg.co.za/article/2013-01-08-mine-charged-with-radioactive-contamination
http://www.moneyweb.co.za/moneyweb-industrials/environmental-crime-business-as-usual-for-sa-compa
Click to expand...

Without looking at any of your links - do they all entail poor security of data on their servers? Because, this is what I have been talking about in this thread in terms of criminal prosecution.
 
danlr said:
Just a question House - based on the above one can argue that "someone" tried to access the data, access was not denied, hence they assumes they were authorised? The reasonable man on the street would expect access to be denied when he is not authorised to access it.

Additionally, as "authorised" is not defined in the act - you would need to go and look at common law, other legal cases etc to get an acceptable definition of it?
Click to expand...

There have been a large number of precedent cases that defines authorization in South Africa. All of them agreed that authorization is permission given by an individual - not a server, not a script, but a person.

So, there is no uncertainty about the definition of authorization, but users of this forum wants to argue - like you said - the server did gave permission. I know from experience this will not stand in court (this can be argued in a High court after the trial in order to see if they agree and can set a precedent case, but chances for this is slim).

Besides that, section 85 is quite clear on the matter. It is plain forward and not reliant on any other act.
 
What person authorised me to view the COJ account in my name?
 
Sinbad said:
What person authorised me to view the COJ account in my name?
Click to expand...

The COJ systems administrator on behalf of the company when you logged into your own account and naturally you yourself.

This is why, in the COJ case, did the police obtain affidavits (in terms of permission to access the statements) from both the COJ and the specific account holders whose statements were accessed.
 
House said:
There have been a large number of precedent cases that defines authorization in South Africa. All of them agreed that authorization is permission given by an individual - not a server, not a script, but a person.
Click to expand...

Those "precedent" cases involved aspects such as gaining access to a co-workers laptop, dumping company data and reselling it et al. So, please enlighten us with a single case where a person was convicted for 86.1 specifically (and not 86.2 to 86.5) as we are only talking about authorisation and nothing else.

If Sanral pursues criminal charges against the hacker and uses ECT I think they would be able to use 86.1 and 86.4. They would face the same challenge with 86.1 but would be able to overcome 86.4 (which was not the case with CoJ).
 
danlr said:
Just a question House - based on the above one can argue that "someone" tried to access the data, access was not denied, hence they assumes they were authorised? The reasonable man on the street would expect access to be denied when he is not authorised to access it.

Additionally, as "authorised" is not defined in the act - you would need to go and look at common law, other legal cases etc to get an acceptable definition of it?
Click to expand...
well this is where old Housy gets himself horribly knotted
the meaning of unauthorized on HTTP is clearly defined in the standards and practices. Any access to a website is done by requesting content from a webserver; on receipt of the request the server amongst other things checks if the requester has authorization for receipt of the content and only serves the data if the requester has same access does it serve the data. If the credentials supplied by the requester do not afford the requester authorized access a credential request is made and eventually an error denying access is made. The CoJ etc ... do not even put in an authorization - never mind a security - system that is compliant instead they authorize all.

The e-toll vulnerability is a little more interesting.

But you really shouldn't be giving House any credence at all - unless he is driving an Opel Monza GSi - as we have caught him lying and so horribly wrong (confused on basics) so often that it is reaching the point of becoming a meme.
 
MagicDude4Eva said:
Those "precedent" cases involved aspects such as gaining access to a co-workers laptop, dumping company data and reselling it et al. So, please enlighten us with a single case where a person was convicted for 86.1 specifically (and not 86.2 to 86.5) as we are only talking about authorisation and nothing else.

If Sanral pursues criminal charges against the hacker and uses ECT I think they would be able to use 86.1 and 86.4. They would face the same challenge with 86.1 but would be able to overcome 86.4 (which was not the case with CoJ).
Click to expand...

There are no precedent cases as none of the convictions were ever challenged in terms of 86(1). So, if your attorney has done some home work, as suggested before, they would already have gotten the lower court judgments from the various commercial crimes courts, as these courts (due to the fact that there are no precedent cases) use each others decisions at this point in time. You will not find these judgments unless you find the specific cases and getting hold of the charge sheets.

In fact, I pointed you, in the other thread, to one of my old, old section 86(1) cases where the court clearly defined authorization based on a precedent case from the supreme court. In fact, here is one they really need to look at closely - R v Douvenga (District Court of the Northern Transvaal, Pretoria, case no 111/150/2003, 19 August 2003, unreported) and they will find at least 50+ other convictions after 2003 in terms of this section at the JHB commercial crimes court as well.

The most important thing about all these cases is that the authorization or permission aspect has been dealt with. Your argument of the 'server' giving authorization will be something that only a high court can deal with after the criminal trial. It is unlikely that the lower courts will go against the definition of authorization / permission already determined by higher courts.

I am not your attorney, nor have I been appointed at any time to assist, but for them going the extra mile and preparing properly may just show these small things they are obviously not aware of right now.
 
Last edited:
House said:
There are no precedent cases as none of the convictions were ever challenged in terms of 86(1). So, if your attorney has done some home work, as suggested before, they would already have gotten the lower court judgments from the various commercial crimes courts, as these courts (due to the fact that there are no precedent cases) use each others decisions at this point in time. You will not find these judgments unless you find the specific cases and getting hold of the charge sheets.

In fact, I pointed you, in the other thread, to one of my old, old section 86(1) cases where the court clearly defined authorization based on a precedent case from the supreme court. In fact, here is one they really need to look at closely - R v Douvenga (District Court of the Northern Transvaal, Pretoria, case no 111/150/2003, 19 August 2003, unreported) and they will find at least 50+ other convictions after 2003 in terms of this section at the JHB commercial crimes court as well.

The most important thing about all these cases is that the authorization or permission aspect has been dealt with. Your argument of the 'server' giving authorization will be something that only a high court can deal with after the criminal trial. It is unlikely that the lower courts will go against the definition of authorization / permission already determined by higher courts.

I am not your attorney, nor have I been appointed at any time to assist, but for them going the extra mile and preparing properly may just show these small things they are obviously not aware of right now.
Click to expand...

Sorry House - we are all talking about unauthorised access in a scenario like CoJ or Sanral violating 86(1). You throw in Douvenga which rightfully was 86(1) but in this scenario Douvenga attempted to e-mail her company's entire client database to her fiance so that she could take it with her for new employment. That person was I think fined 1-2K or 3 months in prison. This is hardly a comparable precedence as you want to make out and I rather rely on my legal team and advocates who have dealt with ECT cases before. You and I know exactly why this case has such importance for the prosecution and if it was that clear-cut it would have already resulted in charges. Right now there has not been a single case similar to CoJ/Sanral achieved a conviction.

If you make statements like the above, it would be fair and honest for readers of this forum to be truthful. At times it appears that you are intentionally leaving out important information the layman will not be able to understand. Thankfully I have the advantage of having gone through ECT, POPI and any other legislation as part of my job and am quite comfortable that my advocates will provide the appropriate legal representation. Many users on this forum, have to unfortunately rely on half-truths and thankfully have started to question such statements.
 
This is what infuriates me - the parroting by mainstream journalists of falsehoods spewed by sanral spokespersons.

See clip from business report below.

Cyber attack!

As much fun as it is baiting house here, the real battle is out there

We need some kind of organised body to refute this kind of rubbish where a PR flack can spin shoddy security into a cyber attack, and get away with it.

People Against Cyber and Electronic Falsehoods (PACEF)

Edit: fixed PR flack - stupid autocorrect changed it to PM
 

Attachments

  • uploadfromtaptalk1389262958036.jpg
    uploadfromtaptalk1389262958036.jpg
    48.9 KB · Views: 81
  • uploadfromtaptalk1389262977662.jpg
    uploadfromtaptalk1389262977662.jpg
    64.3 KB · Views: 81
Last edited:
MagicDude4Eva said:
Sorry House - we are all talking about unauthorised access in a scenario like CoJ or Sanral violating 86(1). You throw in Douvenga which rightfully was 86(1) but in this scenario Douvenga attempted to e-mail her company's entire client database to her fiance so that she could take it with her for new employment. That person was I think fined 1-2K or 3 months in prison. This is hardly a comparable precedence as you want to make out and I rather rely on my legal team and advocates who have dealt with ECT cases before. You and I know exactly why this case has such importance for the prosecution and if it was that clear-cut it would have already resulted in charges. Right now there has not been a single case similar to CoJ/Sanral achieved a conviction.

If you make statements like the above, it would be fair and honest for readers of this forum to be truthful. At times it appears that you are intentionally leaving out important information the layman will not be able to understand. Thankfully I have the advantage of having gone through ECT, POPI and any other legislation as part of my job and am quite comfortable that my advocates will provide the appropriate legal representation. Many users on this forum, have to unfortunately rely on half-truths and thankfully have started to question such statements.
Click to expand...

Sorry Magic, but you will see later for yourself what I am referring to.

Precedent cases do not have to be similar to current incidents. They are being used for certain aspects, as with your case the 'Authorization' question. While you and others think a server can give authorization, in svDouvenga it was made clear that authorization was permission given by a person.

The whole case is not being used, only that part of the judgement. The same happened in Douvenga's case. They used a precedent case which related to a vehicle accident when looking at the term 'authorization' or 'permission'. Although they did not make use of the whole precedent or the situation that was not remotely similar, they did focus on the 'authorization' or 'permission' aspect of the judgement.

That is why I highly recommend that your attorneys take a look at these cases where people was convicted. I had many attorneys who thought they would win their cases, especially in the Douvenga case, who eventually lost based on a technical point they never took into consideration.
 
House said:
Sorry Magic, but you will see later for yourself what I am referring to.

Precedent cases do not have to be similar to current incidents. They are being used for certain aspects, as with your case the 'Authorization' question. While you and others think a server can give authorization, in svDouvenga it was made clear that authorization was permission given by a person.

The whole case is not being used, only that part of the judgement. The same happened in Douvenga's case. They used a precedent case which related to a vehicle accident when looking at the term 'authorization' or 'permission'. Although they did not make use of the whole precedent or the situation that was not remotely similar, they did focus on the 'authorization' or 'permission' aspect of the judgement.

That is why I highly recommend that your attorneys take a look at these cases where people was convicted. I had many attorneys who thought they would win their cases, especially in the Douvenga case, who eventually lost based on a technical point they never took into consideration.
Click to expand...

Funny, Douvenga's stole data for financial gain. Pretty clear cut. Pointless arguing this with you as you sound like a stuck record-player. Either way - let's see whenever that famous court-date is. I think it will really be funny if the prosecution tries to use a 2003 case to argue the CoJ issue - this will lead to public embarrassment for the prosecution. My advocate thinks that "House is a funny chap" btw :whistle: - I must agree.
 
Lets ask the question one more time:
The most important thing about all these cases is that the authorization or permission aspect has been dealt with. Your argument of the 'server' giving authorization will be something that only a high court can deal with after the criminal trial. It is unlikely that the lower courts will go against the definition of authorization / permission already determined by higher courts.
Click to expand...
CITE THE JUDGMENT

you can't, because ALL of the authority around the planet and the clear meaning of the statute and the canons of statutory interpretation and the Douvenga case all reinforce the proposition that authorization for entry is an objective fact to be determined.

Anyway no doubt your retainer or commission or whatever has been paid and the rampant dishonesty is back in full swing.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X