At the end of last year, there were rumours that the IT system of Latvia’s Internal Revenue System was ‘hacked’ and millions of documents had been downloaded by multiple organizations. Shortly thereafter more details on the glaring security hole became public (after it was closed).

There is a full electronic interface to give all reports to the IRS electronically (at http://eds.vid.gov.lv) and as part of that system you could also view and export monthly report summaries about your organization into XML and PDF files. After the system checked that you are authorized to access the report, you were redirected to the URL to actually download the report by report ID (as a single param in a GET request). Unfortunately, report IDs were predicable and the script that gave the reports for download did not check if you were authorized to get that report. It did not even check if were logged into the system.

There were suspicions that the authorization was disabled on purpose to allow to leak data on purpose, but apparently it was an error of forgetting to disable debug code in production environment.

The error was discovered only because the firewall administrator noticed an unexplained stable increase of traffic, especially during night hours when typically the traffic fully stopped. Apparently a single hacker (who later identified himself as ‘Neo’ to the press) discovered the flaw and wrote a script to just try all possible report ids and get as much data out as possible. This had been going on for months, before someone noticed.

After the flaw was discovered and a bit of time passed, Neo made his first move – he published the list of top salaries in a governmental company, that clearly showed that the top leadership of this company failed to cut their salary by 40%, like everyone elses during harsh budget cuts of 2009. He stripped the names and ids of the specific employees, but named the company which made it pretty easy to figure out who was who.

The society was outraged that the top managers in a government owned company failed to comply with the strict pay cut that everyone else in government had to endure. But after a few weeks the outrage subsided and no action followed from the government or law enforcement.

Neo continued to release documents detailing salaries of top managers in different Latvian government companies. And each time after short outrage, nothing happened. Neo gave an interview where he said that he was disappointed in the passivity of the Latvian people in face of such blatant injustices.

After a few month Neo went silent, promising to return before parliamentary elections this fall.

However, this week a new development shocked everyone – in the middle of the night two police SWAT teams went into action: one detained Ilmārs Poikāns, a researcher in artificial intelligence at the University of Latvia’s Computer Science department and another raided the home of a Latvian TV journalist Ilze Nagle who interviewed Neo. Poikāns confessed of being Neo the next day and was released (with travel restrictions, pending trial) today.

Politicians reacted immediately – opposition demanded the resignation of the Interior Minister over ‘such blatant disregard of freedom of press’ and another politician (who is also a famous lawyer) Aleksejs Loskutovs volunteered to defend Neo pro-bono (on Twitter, no less). Almost all Latvian online media have the arrest of Neo and the raid on the home of a journalist as main stories of the day.

As a legal titbit, we also know that Neo is being charged with breaking statutes 145 and and 244p2 of the criminal law. Statute 145 is hard to find applicable in this situation as talks about actions done by ‘people authorized (..) to access [private] information’. Statute 244p2 will also be hard to pin down as it mentions ‘influencing system resources of (an IT system)’ and ‘if such action caused severe harm’. It looks like the first part talks about at least a DoS attack (which did not happen in this case) and also there was no measurable harm from these leaks.

Also Neo was careful to strip all personally identifying information (such as names, social security numbers and addresses of the employees in question), so it will be hard to pin him on that. Also no actual breaking or other modification of an IT system occurred. And no ‘specialized software’ was used beyond a trivial script such as :

for i in range(0,7000000):
    wget('https://eds.vid.gov.lv/getRep.aspx?id='+str(i))

A lot of commentators on the Internet likened the situation to walking trough an unlocked door and stealing something. I think that analogy is very incorrect – there was no door, and nothing went missing after the action.

I came up with a different analogy – there was this corridor with a lot of doors in IRS, locked steel doors. You were instructed to go to a room with a specified number and given a key to that room to unlock it and see your secret info. However, that corridor opened out to the street on one end, oh and also the walls of the rooms with all the secrets were transparent. So Neo walked into the corridor, looked at some of the secrets, wrote them down (to remember them better) and then went out and discussed the worst examples abuses of power he saw.

In the end IRS had to learn their lesson – if you have to put naked photos of yourself on the Internet (or something equally embarrassing), then make damn sure you password protect that, but if you don’t then don’t cry that someone ‘hacked’ you and ‘stole’ you pictures.

What other people think:
http://freespeechlatvia.blogspot.com/2010/05/neo-released-under-restrictions.html

We’ll see how the story develops soon.

While lobbying by local Microsoft branches and their pet companies can be countered locally, like I and many others did in EU a couple years ago (mostly thanks to FFII), trade negotiations are very secretive affairs and it is very hard to lobby there directly. The public needs to be aware of the issue, otherwise the politicians will not be aware of its importance to their voters.

Software patents are a threat to free software as it circumvents the power of GPL and other copyright licenses if enough money is thrown at the lawyers. If a software patent is generic enough, it can easily stop development of a whole class of free software applications on a whim of the patent holder. And there are plenty of granted software patents with a very broad scope (progress bar, anyone?).

I am aware that to get Debian support for such an initiative, a GR is needed, but how about a personal word of support from the DPL or support from the SPI? It is in direct area of interest for SPI – software patents create an ever present threat of legal action against any and all software in Debian (in USA and Japan, at least) and, as the legal umbrella of Debian in the USA, SPI would be a prime target.

What do others think about this?

And then last weekend I was in Berlin for the FFII board meeting and used the opportunity to see the city with my girlfriend. I must say that there is a lot of interesting things to see in Berlin.The things I would recommend everyone are: go to the Zoo (5-7 hours of superb fun), then take bus 100 to Alexander Platz (driving by all the main landmarks), go up on the TV tower, then come down and sometime late in the night go to ‘Weekend’ dance club.

The Zoo is fantastic – most of the time there are no walls between you and the animals, only deep pits. Most animals can be seen both in their outdoor spaces and in their indoor places. The park is a bit maze like, but the best thing is that you can just keep on walking and you will always have something interesting to look at. Wherever there is a underwater bit, there is a glass plate that allows you to look underwater. It looks almost like huge TV sets. When a family of hippos swims by a long wall of glass, the effect fantastic. And so is the whole zoo.

Going to the ‘Weekend’ club was another interesting experience. We found out of the club from Wikitravel and went there around 22:30. The place was barely warming up. We easily found the big office building with red “SHARP” ad on top just off the Alexander Platz, but it was fully dark and quiet with no signs about the club, so we looked for people. At one of the entrances there were a couple people with a table that took 5€ from us and waved us inside to the elevators. When elevators came, they had two guys inside that did not ask us anything, but just shot us up to the 15th floor, we followed the small stream of people and came to a wooden roof-top terrace with lots of place to sit, to chat, to drink and a very long bar with lots of staff ready to make us a drink. And there was music – great quality soft disco music that was quiet enough so that people could relax and talk freely. You could see the street below, but not a sound from this roof-top chill-out reached the street level – that is one great way to make a club. We also checked out the small dance room on the 15th floor, but did not stay around for long enough to see the main area on the 12th floor. Again, the sound system was perfect – they were rolling dance music on vinyl and I could really hear the difference in the depth of sound and appreciate how the female DJ mixed the tracks seamlessly. We were a bit surprised by the number of gay people in the club, both male and female. It is very rare to see that in Latvia because of the still prevalent prejudice, unfortunately.

We also went to a great place serving South African food and we ate some ostrich and gnu meat which was cooked flawlessly. It was a place of a slightly higher level than we normally eat, but it was totally worth it.