OnPoint by Keith Ng

Read Post

OnPoint: The Source

217 Responses

First ←Older Page 1 3 4 5 6 7 9 Newer→ Last

  • Ian Dalziel, in reply to Lucy Stewart,

    ...targeting departments at random
    – but, again, cost.

    Yet after the fact there's always money to clean up the mess these things can create...

    an ounce of prevention....


    I'm just wondering why the then Minister of Communications and Information Technology, Steven Joyce, or current minister Amy Adams hasn't been called on the appalling failure, thus far, of the 2011 NZ Cyber Security Strategy (links to PDF file)

    In which they assert that:

    "The Government has a responsibility to protect its own systems and assist critical national infrastructure providers to ensure New Zealanders and New Zealand businesses can access government and other essential services."

    and

    "New Zealand’s Cyber Security Strategy has three priority areas:
    1. Increasing Awareness and Online Security
    2. Protecting Government Systems and Information
    3. Incident Response and Planning"

    (my emphasis)

    Christchurch • Since Dec 2006 • 7943 posts Report Reply

  • Chris Miller, in reply to Raymond A Francis,

    Fairly likely that someone in employment would do that for any number of reasons - they're underemployed (ie, have a shitty part time job only), their job is terrible, they're helping someone else, they want to move and find a new job there, they do like their job but a better position is opening up and they want to try for it.

    More importantly, what does it matter whether he's employed or not?

    Otautahi, Aotearoa • Since Nov 2011 • 17 posts Report Reply

  • merc, in reply to Ian Dalziel,

    Yes but no legal duty of care, at all.

    Since Dec 2006 • 2471 posts Report Reply

  • Sacha, in reply to merc,

    but no legal duty of care, at all.

    does case law support that?

    Ak • Since May 2008 • 19707 posts Report Reply

  • andin, in reply to Sacha,

    Interesting that *reputation* is how we decide who's telling the truth about this as well

    Yes, well! It depends on perception don't it.
    johnnygoldentonsils sez

    "[He was] just pointing to the system and wanting an incentive payment or wanting cash basically to tell us where the problem was," he told TV3's Firstline programme.

    Bad spin johnny.
    Wanting cash basically? right. dirty word is it?

    raglan • Since Mar 2007 • 1890 posts Report Reply

  • merc, in reply to Sacha,

    I started with trying to find what the legal situation in NZ is with Govt. Dept's legal duty of care. As far as I can find, there is none. There are statements of care, mission statements, not legally binding ones. Case law exists but that is to contend if there was duty of care, nominal position. I can find no actual legal requirement for in this instance WINZ or DSW having to protect your private information if you have been required to provide it. Prisons and Police hopefully have it.
    All this is essential because if you are going to have inquiries it behoves you to define just what law the inquiry is against and most law is contractual in these cases.
    Otherwise it's just experts arguing with each other over he said, she said. If there is no legal requirement for Govt. to adequately protect citizens private information, then why bother?

    Since Dec 2006 • 2471 posts Report Reply

  • Chris Waugh, in reply to merc,

    I can find no actual legal requirement for in this instance WINZ or DSW having to protect your private information if you have been required to provide it.
    ...
    If there is no legal requirement for Govt. to adequately protect citizens private information, then why bother?

    Privacy act?

    Wellington • Since Jan 2007 • 2401 posts Report Reply

  • merc, in reply to Chris Waugh,

    Sadly I think, way too far down the chain. If the Dept. has a legal requirement to perform to described duty of care practices there would be no need for further down the chain buck passing that frankly you and I could not afford.
    Interesting that BORA is not enshrined in law no? All this is heading in one direction for me.

    Since Dec 2006 • 2471 posts Report Reply

  • Roger Lacey, in reply to Sofie Bribiesca,

    bain of her life.

    Lovely Freudian slip there. :-)

    Whatakataka Bay Surf Club… • Since Apr 2008 • 148 posts Report Reply

  • Sacha, in reply to andin,

    dirty word is it?

    Impugning the motivation of the source is standard practice for these guys, rather than taking responsibility for failings.

    Ak • Since May 2008 • 19707 posts Report Reply

  • Ds, in reply to Sacha,

    BUT what about this from a stuff report

    On Thursday, Bailey's Linkdin profile had been checked out by an adviser in Social Development Minister Paula Bennett's office, Ng said.

    wellington • Since Sep 2012 • 8 posts Report Reply

  • Sacha, in reply to merc,

    Govt. Dept's legal duty of care. As far as I can find, there is none.

    I'm not a lawyer but recall some cases that hinged on exactly that - and Susan Couch vs Corrections is one higher-profile current example.

    Ak • Since May 2008 • 19707 posts Report Reply

  • Sacha, in reply to Ds,

    from a stuff report

    wow. link?

    Ak • Since May 2008 • 19707 posts Report Reply

  • Joshua Franklin, in reply to Sacha,

    Wellington • Since Oct 2012 • 5 posts Report Reply

  • ScottY, in reply to Chris Waugh,

    I can find no actual legal requirement for in this instance WINZ or DSW having to protect your private information if you have been required to provide it.

    If there is no legal requirement for Govt. to adequately protect citizens private information, then why bother?

    ...

    Privacy act?

    There is a requirement. Privacy Act 1993, section 6:

    Principle 5

    Storage and security of personal information

    An agency that holds personal information shall ensure—

    (a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against—
    (i) loss; and
    (ii) access, use, modification, or disclosure, except with the authority of the agency that holds the information; and
    (iii) other misuse; and
    (b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.

    There are lots of exceptions to the privacy principles, but I can't think of any that excuse this degree of negligence.

    West • Since Feb 2009 • 794 posts Report Reply

  • merc, in reply to Sacha,

    I thought answered that. I'm talking about before not after the fact. If Govt. has no legal ramifications for not providing duty of care (notified in law), then why should they bother, and it appears, they don't.
    Hence why Bennett can out a person's file with impunity...needless to say there appears to be a problem with Police deciding prosecutions, ref Key teapot tapes and so on.
    It's not a sophisticated argument, it's really about what we are actually voting for.

    Since Dec 2006 • 2471 posts Report Reply

  • ScottY,

    But getting a meaningful remedy out of MSD's breach of the Privacy Act may be another matter...

    West • Since Feb 2009 • 794 posts Report Reply

  • merc, in reply to ScottY,

    Agreed. Yes but you have to prosecute it in order to get any redress. The main thing I am going to watch for is how the Govt. gets away with total negligence, once again.

    Since Dec 2006 • 2471 posts Report Reply

  • Joshua Franklin,

    Related: Given the treatment Bailey is receiving, can anyone advise on the correct way to inform Paula Bennett if, hypothetically, her blog seemed to be vulnerable to SQL injection?

    Wellington • Since Oct 2012 • 5 posts Report Reply

  • merc,

    Oh what a tangled web she weaves,

    Ms Bennett said the issue of Ira Bailey asking about some form of payment in return for the information before he went to Ng was only a "side issue'' and she had bigger problems to deal with.
    She said Mr Bailey and Ng had ultimately done the department a favour.
    "I feel no ill-feeling towards any of them. At the end of the day, it's not their fault there is such a security flaw in the system and that is quite frankly the responsibility of the ministry. The main issue is that people were able to access information they shouldn't have been able to access.''
    Asked if she believed Mr Bailey had tried to 'blackmail' the Ministry of Social Development in return for his cooperation, she said she believed he was asking for a 'reward.'
    "You can take from that what you want to.''

    http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10840860
    Minister Bennett, have you at any time seen any reference to the security flaw in the kiosk system prior to this latest revelation?

    Since Dec 2006 • 2471 posts Report Reply

  • Steve Barnes, in reply to Hilary Stace,

    I suspect that there weren't any jobs at KPMG advertised on the Work and Income database.

    Time for an anecdote...
    About 10 years back I had occasion to go to a WINZ office, or whatever they were called back then, because I was in between jobs and thought it might be worth looking at what jobs they had on the books.
    Back then they had a brand new computer set-up in the public area, two in fact, that you punched in your details and it delivered a list of jobs that would suit you.
    Thjere were a couple of other people doing this so I waited my turn and watched.
    he two guys in front of me got their print-outs and read the results.
    "Aircraft Refueller" said one.
    "Hey, same here' the other guy retorted.
    They hung around while I did the punching in of my skills and attributes. The result?
    Aircraft Refueller.
    We figured out that the machine was just spitting out the first job on an alphabetical list regardless of input.
    "So" said one of the guys "No jobs for accountants then".
    Oh how we laughed...

    Peria • Since Dec 2006 • 5521 posts Report Reply

  • Lucy Stewart, in reply to Ian Dalziel,

    Yet after the fact there’s always money to clean up the mess these things can create…

    an ounce of prevention….


    I’m just wondering why the then Minister of Communications and Information Technology, Steven Joyce, or current minister Amy Adams hasn’t been called on the appalling failure, thus far, of the 2011 NZ Cyber Security Strategy (links to PDF file)

    Strategy is, of course, very far from implementation, but the key thing about the Cyber Security group and this report is that the focus is on active attacks, not basic architecture. Look at their headings; cyber crime, cyber espionage (the nineties are calling…). As has been mentioned in the other thread, this is fundamentally a failure to perceive data security as a basic principle of operations; no-one cared enough to do the basics.

    ETA: Also, keep in mind that the Cyber Security Centre has grown out of the Center for Critical Infrastructure Protection, which was a branch of the GCSB, That should give you some idea of their priorities.

    Wellington • Since Nov 2006 • 2105 posts Report Reply

  • Tim Michie,

    Hrom what information we have at present Keith and Ira have both treated personal informstion with more respect than the minister in question and the affected government agencies. Stating the obvious I know but the pot/kettle black-calling is either attempted delibertate distraction or politians denying themselves a moment think about the degree of damage their departments have allowed.

    Auckward • Since Nov 2006 • 614 posts Report Reply

  • Sacha, in reply to Joshua Franklin,

    Thanks. That detail is well worth sharing around.

    Bailey had left his name and number when he called the Social Development Ministry last week to raise concerns about the vulnerability of Work and Income's systems.

    On Thursday, Bailey's Linkdin profile had been checked out by an adviser in Social Development Minister Paula Bennett's office, Ng said.

    The Social Development Ministry had "categorically denied" leaking Bailey's name, Ng said.

    "I have no evidence it came from the minister's office but I think that is a reasonable guess."

    Ng said the Government wanted to "turn the conversation around" to focus on Bailey.

    However, Bennett today denied the leak came from her office and Prime Minister John Key ruled out involvement from his staff.

    Ak • Since May 2008 • 19707 posts Report Reply

  • nzlemming, in reply to Sacha,

    does case law support that?

    Yes. It's a strategy, not a regulation, or even a policy.

    Waikanae • Since Nov 2006 • 2932 posts Report Reply

First ←Older Page 1 3 4 5 6 7 9 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.