OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 … 6 7 8 9 10 … 26 Newer→ Last
-
Jimmy Southgate, in reply to
You'd need to have understanding of the directory structures that are shown to you, and be able to guess which ones had the data you were interested in.
I read it a little differently. Say you have plenty of time on your hands, a reasonable reason for being in the WINZ office, using the kiosks relatively frequently, and an inquisitive mind.
From what I've understood from the screenshots & various comments around here, that'd probably be all you needed. Eventually you'd open something interesting.
-
Kumara Republic, in reply to
It seems appropriate to declare this a scandal.
How big a scandal, maybe on par with the Anonymous exposé of HB Gary?
-
As someone whose job is mainly to teach computer courses to people, while a lot of people have had experience with the File menu -> Open command, a lot of people have no experience using computers to open files from other computers on the same network. If your experience is with a computer at home "My Network Places" will generally be a useless button. Equally, if you are using computers in an environment where the files are stored on a central computer, this is normally set up to behave the same way as a home machine. This one added step of opening up a file from another computer is what I think some people are finding a baffling and alien concept, and it is something that could probably do with being spelled out a little clearer in explanations of how easy it was.
-
Sacha, in reply to
not knowing how to navigate a local area network
can involve stuff as simple as the way we describe that, as others have pointed out.
-
Heather Gaye, in reply to
I'm guessing WINZ would happily send someone on a course to develop the skills it takes.
Actually, one of my friends has been on a WINZ-associated "business & computer skills" course, and among the skills they've covered is making scones (so they can please their husbands and impress visitors - this is actually what the tutor said). She's pretty annoyed.
-
duke, in reply to
Totally. To ignore testers suggests that a due process was actually overridden, rather than the processes being neglectfully weak in the first place.
Par for the course in the Natz delivered climate of fear subsuming our public service thanks to their foolish, crippling budget cuts. DOC is being well and truly violated; while much if our windefrul and unique biodiversity is in free fall decline.
Trickle down does exist; but only for poisinous shit policies.
-
Seeing as the Chief Executive of MSD came straight from his post as Government Chief Information Officer (CIO) where he was 'responsible for developing and implementing the Government’s Information and Communications Technology (ICT) Strategy and for providing strategic advice on ICT matters' and he seems to be responsible for the whole of the current online approach to government, and was behind the implemention of the kiosks at WINZ - surely he should lose his job? http://www.ssc.govt.nz/appt-ce-msd-aug11
-
Sacha, in reply to
This one added step of opening up a file from another computer is what I think some people are finding a baffling and alien concept, and it is something that could probably do with being spelled out a little clearer in explanations of how easy it was.
Can someone whip up or link us to screenshots or a clip?
-
The bigger issue here is people such as Jacqui who have legitimate concerns about whether or not their details have been discovered by peeps that they need to keep such things private from.
The odds are great that Jacqui and co are safe. Only because the sheet sniffers and the sleazy debt collecting agencies and sordid 'private' detectives who employ them would never have conceived that the data they have been paying so much for was so easily obtainable.
Nevertheless Jacqui along with many others is rightly concerned about the confidentiality of her information. The issue is as much about whether the client believes they are secure as whether or not the data was compromised. So it behoves the MSD to pay whatever it costs for relocation of these clients, or whatever else is required to keep them feeling safe. -
Mahal, in reply to
This outlines the basic process. Note, it's not quite what Keith will have done - he started with File->Open in Word, instead of opening an Explorer window - but the process is the same thereafter. It's something you can do in any office that uses a Windows network (depending on the security your IT department puts in place). I couldn't find screenshots with a quick google, but it'd be easy enough to whip up.
On a Mac it's even simpler; open a Finder window, look under Shared in the sidebar at the left.
(For context, I work in tech support, as a fledgling admin - frankly even my skillbase is sufficient to avoid this sort of fustercluck.) -
Craig Ranapia, in reply to
This doesn’t make John Key’s statements true, however. It would have been easy for someone interested in accessing the private data.
Well, yes… thought I’d made that distinction clearly but apparently not.
…. who have children hidden from them in CYFS care, and have just been given enough information to find them.
And that’s the one thing that makes me really fucking cross. Just getting out of an abusive relationship is hard enough when you've been programmed into believing if you leave nobody and NOTHING will ever keep you safe. So, totes awesome MSD – how many people already trying to drag themselves out of HELL have had what little confidence and trust they possess smashed because you fucks couldn’t be arsed doing your jobs?
-
If MSD was unable to secure the data what are the chances there is any audit trail of who has accessed the data? Call me cynical but I'd say nil (sorry Jacqui)
-
Steve Barnes, in reply to
That’s a world a way from Clippy chiming in with “You look like you are downloading secret documents, would you like some help with that ?”
You mean they disabled "Clippy"?. Now that's some tight security. I wonder how the staff managed to use the system without that wonderful little chap?.
-
Emma Hart, in reply to
Also, hearing that the files were writeable (editable).
Really? Jesus.
-
To extend (flog?) the car metaphor -- this wasn't change-the-oil difficult it was reverse-into-a-car-park difficult.
-
Jonathan King, in reply to
Also, hearing that the files were writeable (editable).
Holy. Shit.
-
Well, hopefully Keith can verify that claim, but if so...
-
Joe Wylie, in reply to
You mean they disabled "Clippy"?
Wasn't he justifiably beaten to death years ago?
-
Hebe, in reply to
Funny that’s your go-to response, rather than sacking the people who as far as I understand have had a heads-up on this before and did sweet Fanny Adams.
Craig, I understand this is a hideous start to the week for you, and I wouldn't contribute to PA if I wasn't thought-provoked and disagreed with. How about about we call a truce and discuss rather than snark? (My tongue can be nasty but I try nowadays to play nicely)
My view is that MSD's Minister claims credit for successes and responsibility for policy "initiatives" such as the self-service kiosks, so the inverse of taking responsibility for an appalling failure is also the case. Inevitably ducks will be shoved, and the decision-makers will be Key and Joyce. They will push Paula Bennett if it is required to keep National in government: this one is a 'whatever it takes' scandal. The bad management and governance may also track back to Labour's terms of office.
As for technical competence required to access this information: I am very, very basic when it comes to computer operation, and I would have found those files simple to enter and save on a stick.
@Keith: Were National Super-related files wide open too?
-
Steve Barnes, in reply to
Also, hearing that the files were writeable (editable).
That would mean deletable too but they would have backups... wouldn't they?
ooops! -
Che Tibby, in reply to
Please trust me when I say I don’t know how to do this
frankly, joe public not having the specific skills is totally irrelevant.
the fact is that people with skills can and probably do have a very very large MSD dataset somewhere that is not inside government.
-
Tom Beard, in reply to
To extend (flog?) the car metaphor -- this wasn't change-the-oil difficult it was reverse-into-a-car-park difficult.
Or hearing that someone's out to get you, and could walk into your garage at any time, and responding "Someone said that meant they could disable my brakes. I only care about driving, not about the mechanics, but I suppose someone who knows about cars could do that".
It sounds trivial to focus on the technical details when people's privacy and perhaps safety is at stake, but the ease of doing this affects the likelihood that any given person with malicious intent could take advantage of it. If it required specialised tools and skills that only a handful of obscure hackers would have, then of course that's a worry. But if it only requires skills that are available to hundreds of thousands of people, then the chance of someone with a grudge exploiting it are vastly increased. The statements of John Key, and of some people in the media who seem to take a blithe pride in their technical ignorance, act to downplay the seriousness of this breach.
-
rodgerd, in reply to
To amplify Rich's point about government pay scales: I applied for a job in 2008 with a government department that do actually take IT very seriously, and are well-funded, and they were paying about 20% below market rates for the position. I have no idea what the landscape looks like in departments that don't take it as seriously and after several years of austerity treatment for staff, but I'm guessing something about peanuts and monkeys applies.
-
A large number of people, possibly a majority, don't understand folders/directories at all. They save in the default folder each app presents, and get confused and call an expert if this changes (and mail attachments in Outlook totally screw them).
That's why Google have de-emphasized the folder concept in most of their things, preferring to rely on categories, binding data to an application and search.
-
TracyMac, in reply to
Since "successful file access" auditing isn't enabled by default on Windows boxes, I'd say it's extremely likely there is no record of what accounts have accessed which files.
I'm still appalled that these kiosks weren't set up as "kiosk-style" machines, of which there are copious examples around the place, with accounts that are basically "guest" accounts (assuming they need to be in the Windows security domain for other reasons). To compound that with editable file permissions is unbelievable, since a user with access to a share has "read" access by default. Of course, users can be members of groups with greater access, but they have to be put into those groups.
So either someone didn't configure the account(s) properly (which frankly, is the "easy" solution), and they or the person who developed the faulty process should be fired, or a whole bunch of people up the chain signed off on this security breach. And yes, as a lowly techie, I would have kept the arse-covering material that said "do it like this" with authorisations.
As for the ease of how to do this, and to continue the car analogy, the relative skill would be like someone who's comfortable with doing an oil change and oil filter replacement. Basically, not very difficult for someone with slightly extended knowledge of computers on enterprise networks. Possibly even less, because someone could inadvertently bring up that dialogue in Word and start clicking around from curiosity.
I also disagree with the point that someone would have to know what they were looking for to get any use out of this. Copying all those sensitive files to a USB and uploading to Wikileaks or a similar organisation would have been trivial. Or poking around and making edits to files just for "fun".
Post your response…
This topic is closed.