It's not an altogether unreasonable approach to security. It doesn't sit particularly well with geeks, but for complex systems with a high risk of fraud there's a great deal of damage-limitation to be found in only processing transactions when they can be manually monitored. Heuristic intrusion detection is still relatively poor.
For a government-to-business service, the overwhelming majority of legitimate transactions will occur during office hours and few people will be significantly inconvenienced by closing overnight. The risk of an attacker gaining even a few hours of brute-force insight is great, but the rewards from operating 24/7 slight.
While I'd like to be able to do my Companies House filings at 4am, I'm more keen to see my data protected.
Right. It'd be nice if everything was 24/7, but we have all manner of systems here in Japan that are only open during certain business hours, and for that matter in the US, too.
The online interface to the Delaware Division of Corporations, for example, only processes certain filings during business hours.
Computer software can be pretty good at flagging activity that falls outside certain parameters, but it still isn't generally good at figuring out what the do about that.
I just made it up, but others have probably noticed it. Insurance contracts (in the US) seem to always start at "12:01 on January 1". For some reason, our legal system can't get its collective head around the idea of "midnight" being the dividing line between two days and belonging to neither. I've heard there was actually a supreme court ruling that a street sign which read "12:00" was ambiguous. One of those things someone told me that I'm not sure to believe. "12:01" isn't any less ambiguous than "12:00" in that respect, yet it still seems to be used for some reason.
It's most of the time 12.01, because nobody is sure whether midnight is actually 12:00 a.m or 12:00 p.m. To avoid confusion or phishy interpretations they choose the one minute delay, cause it's clear that way which time was actually meant.
Midnight is obviously 12:00am, but people don't know which day it belongs to. Is midnight the start of the day? Or the end of the day? Tuesday 12:00am could be 2 different times (spaced 24 hours apart) depending on your interpretation. If you say 12:01am, there is no ambiguity.
A lot of people in high school probably ignored their math teacher when he explained open/closed intervals.
Being a German, I can hardly imagine security being the reason - I rather think it's bureaucracy and/or a complete misunderstanding of how computers work.
Public services either close much earlier, or are 24/7.
Oh, I very much doubt that. If anything, I'd wager it's a purely technical/process decision. I bet there's some ancient mainframe deep behind that API that runs batch jobs and reports overnight.
The whole student management system at my uni (which was implemented at the start of this year) is like this too, down between 2am and 4am to 'synchronise the timetabling system'. I think it's to do with the massive Oracle backend, but I don't really understand the need.
Perhaps a bit OT: Most/all home/"small office" router firmware lets you designate hours of operation. This can be used as another means of limiting the risk of an undesired connection.
Now that I consider this again, I was thinking of the wireless signal. I'll have to check whether the functionality also applies to the wired connections.
I dont think it's a security issue. VAT numbers are public (like registration numbers for companies), it's just that every country keeps its own registry, and this is a tool to verify that a VAT number is valid.
As the examples mentioned here show, opening hours are not altogether uncommon on the web.
Here is another example from Germany: Certain TV shows are deemed not appropriate for kids of a certain age. This results in all broadcasters only being allowed to show them on TV at certain times. If a TV show is, for example, not appropriate for kids younger than twelve it can only be shown between 8pm and 6am.
The consortium of public broadcasters puts much of their content online, including TV shows with age limits. You can only watch those at certain times. Here is an example: http://mediathek.daserste.de/sendungen_a-z/602916_tatort/746... (the video should be blocked for another four hours and forty minutes after this link has been posted).
I’m not sure why the public broadcasters do that. The private broadcasters don’t seem to but maybe they just don’t put any content with age limits online.
In fact all of Western Europe, Southern Europe (minus Portugal, Greece and Turkey), Northern Europe (minus the British Isles, the Baltic states and Finland) and large parts of Eastern Europe (with the eastern border of Poland as the easternmost point) are all in one time zone.
It’s still slightly funny that most kids in the world are theoretically able to view the videos at non-approved times. Will nobody think of the (non-CET) children!
Nope. not only in Germany. Here is Israel we have more than one site that "close" for the Sabbath. It's moderately interesting to see how religion and the internet co exist.
Yep. Some governmental institutions such as the Israeli Social Security have their websites up during Sabbath (Saturday), but do not accept payments.
Supposedly, because just having the server up does not require any manual labor, but accepting a payments constitutes trade, which is forbidden during Sabbath.
(Nevermind the fact that an institution which entire purpose is to assist those in need is the most non-accessible organization ever - from not having accessible entrances to buildings, to their payments gateway which supports IE only. Yes, IE is the ONLY browser officially supported).
An Israeli site has a problem that US sites don't. Although a Jew can leave a site running and even accept payments on the sabbath, that is only if non-jews are the ones sending the payment. (Because non-jews are not required to observe the sabbath.)
To accept a payment from a Jew on sabbath would definitely be wrong. So an Israeli site, which can expect that Jews will use it, must shut down on the Sabbath.
Leaving the site running, but not accepting money is probably the compromise they made because a lot of Israelis are secular.
I know of at least one site in the US that does the same. B&H, a venerable camera & electronics store in NYC, shuts down their shopping site every Saturday (http://www.bhphotovideo.com/).
Which is weird, but I guess I don't know much about the finer points of the Law. Would a religious Jew have to lock down a windmill before the start of the sabbath? Or does it only matter for matters of trade? Technically, wouldn't they have to lock their Paypal account as well, as well as traditional bank accounts?
No, they are not required to shut down their site by the letter of the law. However accepting money on the sabbath is not in keeping with the spirit of the sabbath, so I fully understand why they shut down.
A human is not allowed to work on the sabbath, but your machines can, as long as they run automatically.
Interestingly work animals are also required to be given the day off.
The main thing that is not in the spirit of the sabbath is accepting payments, even if by the letter of the law it's allowed.
For example, even though you could leave a physical shop open and unstaffed, and let people (non-jews) buy using the honor system, it's not the right thing to do.
However, leaving the shop open, so people can take things without money, and then they settle later is OK.
Oh yeah, I totally grok that. If you shop at their storefront location, you can see that they are staffed almost entirely by Hasidim. I was just pointing out an instance of a US-based e-commerce website that also closes for the sabbath.
My friend thought it would be novel to give his personal portfolio site opening hours (with a nice "sorry we're closed!" notification). It was very cool, except GoogleBot only came crawling in the middle of the night.
Not really only in Germany. For instance Nordea Denmark closes its online bank between 2 am and 5 am. Probably because they don't have staff at those times to prevent scammers from transferring money out and people rarely need to use banking during those hours.
As someone who sleeps weirdly it has annoyed me once or twice, though.
Now at first I thought the API would return a shop's opening hours. That's not trivial as it sounds in Germany because different lander have different laws requiring shops to close, for instance, on Sundays and weekdays after 8 p.m. That would be neat actually!
Maybe this is in fact an API that requires the manual intervention of a clerk? Or perhaps they have a policiy to shut down the office computers after office hours - in any case, a funny comment on Germany bureaucracy.
In the great Commonwealth of Massachusetts we have government websites that are only "open" (meaning, you can perform transactions) during certain hours.
I dont think this is joke. Not all system are like Facebook and Twitter, banking systems and many other complex and distributed systems will need to have this compulsary daily downtime until we improve our communication technologies by 10x everywhere.
The netherlands' chamber of commerce API shuts down at night too, which is why a free alternative had to be created (openkvk.nl) to proof there shouldnt be a need for the shutdown.
The Delaware Division of Corporations' web app to file your annual report and pay business entity tax is available between 8:00 am and 11:45 pm Eastern Time daily. Go figure.
The website for the department of the Ontario Gov't (Canada) which manages corporate filings is also only open during business hours (8-4 Mon-Fri I believe)
To be fair, this might not even have to do with germany, as it queries other countries' VAT registries online, many of which are down for maintainance many hours a day. The weird thing is that, even though there is a system for VAT id interconnectivity (VIES) , there is no central database of numbers. [http://ec.europa.eu/taxation_customs/vies/]
Do you have any information why these databases are down for such a long time, every day? I can't see a really good technical reason for that right now.
A combination of incompetence, byzantine bureaucracy, under qualified personell, uncooperative subsystems and obscure security here in godforsaken greece
reminds me of mbank.pl - a polish _internet only_ bank which accepts money transfer orders only from 0800 - 1800 hours and not on weekends.
no, they don't save the order to execute it the next morning. they just print an error message and you have to enter your transfer order during opening hours.
Rudepeklo meant that mbank in Czech republic accepts transfer orders 24/7. I can confirm, the interbank orders will wait till the interbank reconciliation center opens, but internal transfers will be made immediately.
What's more interesting, mbank uses the same backend for pl, cz and sk. I know that it works in cz and sk exactly the way it is supposed to do. Why is pl exception?
For a government-to-business service, the overwhelming majority of legitimate transactions will occur during office hours and few people will be significantly inconvenienced by closing overnight. The risk of an attacker gaining even a few hours of brute-force insight is great, but the rewards from operating 24/7 slight.
While I'd like to be able to do my Companies House filings at 4am, I'm more keen to see my data protected.