OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 2 3 4 5 6 26 Newer→ Last

  • Mia larsen,

    Who is going to have the last laugh now Paula Bennett, we the people at your expense, and as for that Mr Keys well he better be utulising those brothers of mine to seal a overseas deal on earning this country Trillions, like I said before we dont even have a 1000 dollar note yet printed, is this when maori start demanding the world bank make one....nah to hell with it we want at least eight trillion, so keep up the good work Mr Keys and bring home the bacon, I am already thinking what colour will they make this note "ALLBLACK" perhaps ! with a trim of gold around the edges, this is in relation to the water he thought he could sell earlier on behand Maoris back ayeee!! Hold up Brother we say we will discuss this and we have now you can go and find and seek the truth for NZ we want top dollar we got alot of hungry people to feed

    rotorua • Since Oct 2012 • 4 posts Report

  • Hilary Stace,

    I have a family member who works for an NGO that gets CYFs referrals for counselling and support. So all those details will be there. I wonder how many NZers are affected like this one way or another? Such a widespread violation of privacy.

    Wgtn • Since Jun 2008 • 3229 posts Report

  • Ben Austin,

    The third wave of stories will no doubt be on crowd funded journalism, since Keith has met his target again

    London • Since Nov 2006 • 1027 posts Report

  • Sacha, in reply to Sam Stephens,

    We are talking no access controls, meaning that at a policy level controls have never been instituted. Meaning that, even if by omission, a decision has been made that it’s okay for all MSD staff (and anyone else with access to MSDs network) to have access to all MSD information.

    This is huge.

    Deserves emphasising. Professionally speaking, this is a 101-level failure well beyond the kiosks or any random bad staff or contractors.

    Any IT manager right up to the new CIO should have spotted this stuff and fixed it. Ensuring it's not repeated also needs a culture change process like we've seen started at ACC, which takes in the CEO and the Minister as the public's representative.

    Government is relying on more connected government systems for efficiency and saving money, so this failure is instructive. We all deserve to feel confident.

    Ak • Since May 2008 • 19745 posts Report

  • Craig Ranapia, in reply to Hebe,

    Well done Keith for outing this. Absolutely fucking appalling mismanagement. Bennett must resign.

    Funny that’s your go-to response, rather than sacking the people who as far as I understand have had a heads-up on this before and did sweet Fanny Adams.

    North Shore, Auckland • Since Nov 2006 • 12370 posts Report

  • Hamish, in reply to Craig Ranapia,

    It's not entirely unfair, Craig. it really is this serious. Without hyperbole, it's about as serious a systems failure as can happen.

    If it is not in the perview of the minister responsible, nothing is.

    The A.K. • Since Nov 2006 • 155 posts Report

  • Rebecca Denton, in reply to Hamish,

    I agree Hamish. This kind of breach is pretty much as bad as it gets.

    United Kingdom • Since Oct 2012 • 5 posts Report

  • Shiny,

    NZ needs strong whistle blower protection. Not so much for Ng, but for the IT savvy professionals with some resemblance of a clue who surely had knowledge of the state of MSD's info security for a long time now.

    Since Oct 2012 • 2 posts Report

  • Sam Stephens, in reply to Rebecca Denton,

    And it's not just a breach. It's a complete lack of governance around access control of incredibly private data.

    United States • Since Oct 2012 • 2 posts Report

  • Craig Ranapia, in reply to Hamish,

    It’s not entirely unfair, Craig. it really is this serious. Without hyperbole, it’s about as serious a systems failure as can happen.

    I do understand that, considering I may just have some quite involved medical records that were passed over to WINZ (perfectly legitimately) back in the day, I might as post here. I’d just like to see some accountabilities called for from, you know, people who are a little more directly responsible for data security.

    North Shore, Auckland • Since Nov 2006 • 12370 posts Report

  • Heather Gaye, in reply to Hamish,

    Yeah, but this breach signifies bad (*coff* nonexistent) security practices that go back YEARS. It's only the introduction of a public portal that's made it apparent. CIO's head yes, minister in charge... wishful thinking.

    Morningside • Since Nov 2006 • 533 posts Report

  • Sofie Bribiesca, in reply to Craig Ranapia,

    Funny that’s your go-to response, rather than sacking the people who as far as I understand have had a heads-up on this before and did sweet Fanny Adams.

    I doubt we would have seen the kiosks without Bennett and Nactional so sack the lot ,I say! More Transparency? You got it. All upside your face Key.
    Perhaps if they weren't so busy denigrating beneficiaries and instead dealt with them like humans rather than beans.....

    here and there. • Since Nov 2007 • 6796 posts Report

  • Hilary Stace,

    To look on the bright side. This will be another valuable case study for students of the growing academic discipline of e-government.

    Wgtn • Since Jun 2008 • 3229 posts Report

  • Sacha,

    More online government services were always coming no matter who was in power, and this process will continue over many years. Addressing this properly requires a cross-government response and strong leadership.

    One practical thing that can be done pronto is to give the Privacy Commisioner's office the teeth they've been seeking so they can strengthen up the ongoing independent oversight and advocacy they do such a good job of already.

    Ak • Since May 2008 • 19745 posts Report

  • stuartm, in reply to dc_red,

    Does anyone know the significance (if any) of Mountain Standard Time reference on one of the captures?

    There would be no significance to this. This looks like it's just a default config file used to provision computers/servers. Same goes with the short-looking admin password - this would almost certainly just be part of the initial build process and would get locked down further along the process.

    Wellington • Since Jun 2008 • 4 posts Report

  • Jonathan King,

    Incredible (and depressing) to hear Katherine Ryan and Katrin Evans saying to each other "well, I don't know if you or I could do it, but it seems if you know about Computers it's not that difficult ...".

    Since Sep 2010 • 185 posts Report

  • Richard Aston,

    Keith on your Nat Radio interview this morning you mentioned being tipped off .
    Implies others know about this security hole.
    How many and for how long? You are clearly doing the right thing handing over files to the privacy commission.
    It begs the question how many people have already accessed MSD files, how deep did they go and what are they doing with that data?

    Northland • Since Nov 2006 • 510 posts Report

  • James George,

    There is no doubt that Bennett is responsible for this farce. The "Self Service Kiosks" were introduced last year on the back of Winz staff cuts so that jobseekers could access vacancies without having to tie up staff by 'interacting' with them.
    The kiosks were introduced by way of a national rollout with attendant free drinks and press releases for journos.
    At some stage, doubtless out of due regard to Winz managers penchant for re-aranging the furniture whenever they are given yet another crazy command from oberSturmbanfuhrer Bennett, a decision must have been made to ignore the pesky requirement to pay an 'expensive' IT contractor to come in and change the local network's active directory every time the Kiosk was moved, expanded, or its PC swapped. Although that sounds crazy surely they must have an onsite secirty officer at each office, someone who can be trained to implement this trivial task. Or not. "After all" some moron thought to himself, "its not as if they can access the national network from these terminals, they're only gonna get the local data n whats that? Boring old accounts."
    This is a classic example of the folly of mega departments; once they are created , usually by a larger organisation swallowing a number of public service minnows, the odds are high that most of senior management has no idea of the actual duties of the former small fry.

    That means they don't understand CYFS holds accounts with intimate details of their at risk clients on their local network. As far the managers are concerned Accounts are the mob who are always harrassing him when he wants to upgrade to the latest iteration of y-phone, and IT is the mob who won't knock up a quick app permitting him to do his job from under the table of the local strip club. (true stories from a mega bureuacracy I once did a lag in) but that was a digression.

    I have had a bit of a play around on a kiosk while bored waiting for a quick client/winz interface but tho I noticed the vulnerability I decided not to push it too far lest the legendary MSD audit trail ID my activities. It looks as though I shouldn't have worried all the security is tied to the national client database which is what private detectives try to bribe idjit winz staff to get into.

    Since Sep 2007 • 96 posts Report

  • DexterX,

    The degree of incompetence is unfathomable.

    Auckland • Since Nov 2006 • 1224 posts Report

  • Bart Janssen, in reply to mjb,

    it’s more likely that IT staff heads will roll, not Bennett or the guvmint.

    Sadly that's true.

    It's likely the people building this system were the cheapest that they could hire. Not necessarily bad workers just lacking in the kind of experience that would prevent this disaster.

    They of course will have been hired by manager who will be paid full "market rates" who will have been given direction by senior executives who will have demanded salaries equivalent to those overseas.

    The heads that should roll should be those managers. But in all likelyhood it will be the overworked IT codemonkeys who get the chop and the managers will survive.

    Auckland • Since Nov 2006 • 4461 posts Report

  • rodgerd, in reply to Mark Hansen,

    Mark, if you can access the VM images, then you have the Windows SAM files within those images, which mean you will be able to get domain admin logins as quickly as you can crack them.

    Wellington • Since Nov 2006 • 512 posts Report

  • Daniel Webster,

    Unfortunately public ignorance of IT is going to work in the government's favour on this one. They're describing it as a security flaw and 'investigating' how the flaw occurred - as if to suggest it was a complex error in an existing security framework rather than a complete lack of any security whatsoever - and Key's already heavily downplaying it saying on Breakfast this morning that "accessing the information wasn't easy". The media aren't likely to run too far with it by themselves and Labour never miss a chance to miss an opportunity. I'm predicting this story will be gone within ~3 days.

    Christchurch • Since May 2007 • 4 posts Report

  • cognitive_hazard,

    Roll up, roll up, extended season at Govt data security amateur hour! Get your tickets now! Aren't GCSB mandated to deal with this stuff? My mistake, they too busy spying on overweight German egos

    New Zealand • Since Oct 2012 • 13 posts Report

  • Joshua Franklin,

    IANAL, but for those with legal concerns:

    (1)Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.
    (2)To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.

    I think it's fair to say that a self-service kiosk implies a certain level of authorisation to access the system (where "system" is defined in the Act as stretching to encompass the network). My reading of subsection 2 is that once they've given you access, you can have at anything which isn't bolted down, so long as you limit your activities to viewing so as not to engage the parts of the Act which cover damaging or interfering.

    Wellington • Since Oct 2012 • 5 posts Report

  • Craig Ranapia, in reply to Daniel Webster,

    Key’s already heavily downplaying it saying on Breakfast this morning that “accessing the information wasn’t easy”.

    Well, he’s not wrong but completely misses the point. I couldn’t do what Keith did – but the point is that nobody should be able to. A non-trivial point I’m sure Mr. Key would heartily concur with if someone without a legitimate interest in doing so accessed his tax records (which I assume are sitting on an IRD server somewhere).

    North Shore, Auckland • Since Nov 2006 • 12370 posts Report

First ←Older Page 1 2 3 4 5 6 26 Newer→ Last

Post your response…

This topic is closed.