Website security flaws in SA: why shoot the messenger?

Its because the grossly incompetent entities feel that they have to defend themselves in some way in order to deflect some of the rightful criticism coming their way.
 
Its government creating opportunity for business why would you be a good citizen and report it if you can make money of others misfortune.
 
I don't think it's "goverment vs private business" inasmuch as it has to to with how technically savvy the organisation is. In the case of Vodacom/CellC I suspect they both understand the technicalities, ease and value of the issues that were identified. In the case of most government organisations, they do not understand these things whatsoever, they look at anything that seems out of the ordinary as a possible hack.

It's the same mentality that one gets when my mother gets a message on a website that says something unexpected, she proceeds to ask me if people are hacking into her computer. The issues are not understood, so the response and assumptions made are extraordinarily extreme as a result.

These issues should only be ever dealt with by people or a group within an organisation who understand what's going on. That means end to end, from fault identification, to resolution, to response. And please for the love of god, let those people actually be experienced and not just some technical/IT guys you found off the street.
 
Nice article.

A good first step in exposing these incompetent liars!

Now it needs to get into Business Day and Business Report.

The Emperor Has No Clothes people, The Emperor Has No Clothes.

Catch and expose the Big Lie wherever and whenever you can.
 
Competent and confident people/organisations welcome criticism, positive or negative.
Incompetent and insecure people/organisations detest criticism, positive or negative.
 
Tharaxis said:
I don't think it's "goverment vs private business" inasmuch as it has to to with how technically savvy the organisation is. In the case of Vodacom/CellC I suspect they both understand the technicalities, ease and value of the issues that were identified. In the case of most government organisations, they do not understand these things whatsoever, they look at anything that seems out of the ordinary as a possible hack.

It's the same mentality that one gets when my mother gets a message on a website that says something unexpected, she proceeds to ask me if people are hacking into her computer. The issues are not understood, so the response and assumptions made are extraordinarily extreme as a result.

These issues should only be ever dealt with by people or a group within an organisation who understand what's going on. That means end to end, from fault identification, to resolution, to response. And please for the love of god, let those people actually be experienced and not just some technical/IT guys you found off the street.
Click to expand...

I refuse to believe this in these cases - it's a thought out PR/Damage Control strategy - when caught, shout loudly that someone else has wronged you - it's a time-tested propaganda tactic.
 
Because accountability is a foreign concept to SA government entities.
 
AfricanTech said:
I refuse to believe this in these cases - it's a thought out PR/Damage Control strategy - when caught, shout loudly that someone else has wronged you - it's a time-tested propaganda tactic.
Click to expand...

I don't know, the CoJ has proved to dramatically incompetent in all interactions that I have had with them.
 
The answer is easy .. two of these are not like the other.

Noteworthy to read both non-governmental companies had their flaws fixed within 24 hours, while the other two ran to the lawyers and their problem's still not fixed. Shows you the power of the mantra .. 'right person for the job'.

Edit: Also

The city also opened a criminal case against “a suspected perpetrator” after a “thorough forensic investigation by the city and its private IT experts"
Click to expand...

They have IT experts to do forensic investigations but not one developer to actually sit down & fix the flaw? Sounds legit.
 
Last edited:
It is endemic to government: Think about it, CoJ and Sanral both work with high profile IT service providers in this country (companies which are ISO certified and should have COBIT and ITIL skillset on board). A security flaw is highlighted and the finger pointing starts. Government has to rely on their outsourced IT service providers who will not admit to any wrong-doing and point the finger elsewhere. There is simply nothing easier to shout "cyber attack" instead of implementing e-services based on best practises.

I for one am grateful that CoJ made such industry wide news as many computer literate people have become more aware of trivial security flaws such as present in CoJ, CellC, Vodacom, Ekurhuleni and have started reporting those to the organisations. Many security specialist attempts to find vulnerability with the intention to improve systems for the greater good and not to cause malicious damage as claimed by the likes of Sanral. TBH organisations such as CoJ or Sanral cause themselves more reputational damage by not owning up to the faults in their systems (and any reasonable person would expect a complex system to have faults).

In all cases those IT service providers will never take accountability for it and I think the government could not be bothered trying to understand IT - hence gross negligence in the implementation of systems and overpriced tenders (the famous Wordpress blog comes to mind) - in most cases, those issues will just "disappear" or dragged out through some wild accusations and lawsuits. Also government has no really accountability like a business (funding is received from the fiscus, so there is no worry that people will be fired or a department will shut down for inefficiencies - contrary to that, more consultants will be hired to fix the problem)

BTW: Ekurhuleni had a similar security flaw as CoJ, but it quietly fixed it (even so, their service provider mentioned security audits and due-diligence, which was never done as claimed though).

Side note: It is horrendously shocking to read how the new-media reports on cases like this - where has journalism gone to?
 
Last edited:
Great article. The government just wants to create fear, and control us. They don't need the peoples help, nor are they willing to accept it.
 
When you're found wanting, attack is the best form of defence. Throw mud where it sticks.

Though not personally an IT person, I suspect that some of the government IT "specialists" only knowledge extends to filling in a PIN number on a Kentucky Fried Chicken card machine. Remember, you get three chances at that as well.....
 
organizations that think of themselves as "too big to fail" will fail repeatedly and when they do fail it has to be somebody elses fault and necessitating a bailout of some form

CoJ don't follow the practices it must be the fault of a hacker and the police and NPA have to bail them out
 
evilstebunny said:
The answer is easy .. two of these are not like the other.

Noteworthy to read both non-governmental companies had their flaws fixed within 24 hours, while the other two ran to the lawyers and their problem's still not fixed. Shows you the power of the mantra .. 'right person for the job'.

Edit: Also

They have IT experts to do forensic investigations but not one developer to actually sit down & fix the flaw? Sounds legit.
Click to expand...

As a web developer I understand what was needed to fix the CoJ vs Vodacom issue:

* For CoJ it was a simple validation rule, a one line piece of code: Is this invoice id linked to this user? Yes, display : No, do not display

* For Vodacom it was more complex (and no, it was not a URL hack) yet their turnaround was very impressive especially for this time of the year. I expected them to originally take down the bulk of their service for a couple of days to resolve this issue as this exploit was linked to complex business rules.
 
MagicDude4Eva said:
It is endemic to government: Think about it, CoJ and Sanral both work with high profile IT service providers in this country (companies which are ISO certified and should have COBIT and ITIL skillset on board). A security flaw is highlighted and the finger pointing starts. Government has to rely on their outsourced IT service providers who will not admit to any wrong-doing and point the finger elsewhere. There is simply nothing easier to shout "cyber attack" instead of implementing e-services based on best practises.

I for one am grateful that CoJ made such industry wide news as many computer literate people have become more aware of trivial security flaws such as present in CoJ, CellC, Vodacom, Ekurhuleni and have started reporting those to the organisations. Many security specialist attempts to find vulnerability with the intention to improve systems for the greater good and not to cause malicious damage as claimed by the likes of Sanral. TBH organisations such as CoJ or Sanral cause themselves more reputational damage by not owning up to the faults in their systems (and any reasonable person would expect a complex system to have faults).

In all cases those IT service providers will never take accountability for it and I think the government could not be bothered trying to understand IT - hence gross negligence in the implementation of systems and overpriced tenders (the famous Wordpress blog comes to mind) - in most cases, those issues will just "disappear" or dragged out through some wild accusations and lawsuits. Also government has no really accountability like a business (funding is received from the fiscus, so there is no worry that people will be fired or a department will shut down for inefficiencies - contrary to that, more consultants will be hired to fix the problem)

BTW: Ekurhuleni had a similar security flaw as CoJ, but it quietly fixed it (even so, their service provider mentioned security audits and due-diligence, which was never done as claimed though).

Side note: It is horrendously shocking to read how the new-media reports on cases like this - where has journalism gone to?
Click to expand...

+100

This, so much this

and as for this, :crying::mad::crying:
 
This is because Sanral and the JSE dont have the mental intelligence to know any better.
 
In all fairness towards the companies involved, the article needed to emphasize the manner in which the incidents were reported:

CellC and Vodacom (No criminal charges)

- Reported to the companies - hacks not made public for others to follow

Sanral and COJ (Criminal Charge & Threat of Criminal Charge)

- Reported to companies and hacks published in public forums

I agree, COJ did not respond, their system was flawed, but the manner in which it was made public was the differentiating factor. Had CellC and Vodacoms' hacks been published on this forum, criminal charges would also have been laid.
 
House said:
Had CellC and Vodacoms' hacks been published on this forum, criminal charges would also have been laid.
Click to expand...

That is very much your opinion and not something based on the evidence at hand. I dont think they would have laid criminal charges.
 
House said:
I agree, COJ did not respond, their system was flawed, but the manner in which it was made public was the differentiating factor. Had CellC and Vodacoms' hacks been published on this forum, criminal charges would also have been laid.
Click to expand...
I doubt it. It previously happened to Vodacom if I am not mistaken, and they also thanked the guy who posted it...
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter