OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 … 4 5 6 7 8 … 26 Newer→ Last
-
Rebecca Denton, in reply to
It seems appropriate to declare this a scandal.
Job well done, chaps.
-
Sacha, in reply to
With greater information sharing across government agencies, it's quite a useful reminder of possible implications, surely?
-
Craig Ranapia, in reply to
Oh yes you could… that’s what Keith shows. It wasn’t hard at all, and for Key to say otherwise is just silly.
Could you do Deborah and I the courtesy of presuming 1) we can accurately access the limits of our own (in)competence, and, 2) that not everyone in the PAS community shares the knowledge and skill-sets of others around here who make a living off knowing shit about gadgets?
I know the default setting around here is that Key is a mendacious fuck-wit who can’t lie straight in bed, but sorry… as I said, I don’t think he’s wrong on that but manages to totally miss the point. I don't want my personal information to be hard to get to; I want it to be impossible to access for anyone who doesn't have a clearly defined and limited legitimate interest in doing do.
-
Joe Wylie, in reply to
Seems staff using MSD's network in their day-to-day job seem to have global access. Easily.
Grossman's gone now, but her publicly expressed concern over this breach seems to make Keith's revelations all the more remarkable.
-
Sacha, in reply to
Kay Brereton of the Beneficiaries Advocacy Federation says she told MSD about the flaws in the kiosks a year ago
Here she is on Radio NZ this morning (2 mins, listening options).
-
i have a secure file at winz should i be worried i have just spoken to an area manager who told me i had nothing to worry about please help me find out if he is right there is a serious reson i have a secure file
-
Sacha, in reply to
Key is simply wrong. It *was* easy, as others have described.
Please trust those here who do actually know what we're talking about - including experience teaching introductory Windows courses to people who have never used a computer before.
That doesn't mean every member of the public could do what Keith did. You do need to know more to realise the implications - but that's why organisations spend some of their budgets hiring experts, managers and governors to oversee them.
-
Sacha, in reply to
I suggest contact the Privacy Commissioner right away - http://privacy.org.nz/contact-us/
-
Craig Ranapia, in reply to
Please trust those here who do actually know what we’re talking about –
I do, but the patronising head pat was neither helpful nor called for. Please share expertise, but it really helps to keep in mind that what’s obvious or “easy” for you might not be for everyone in the room.
-
Stephen Judd, in reply to
That's just a rumour I heard, albeit an all-too-plausible one. I would like someone to look into it though.
-
Keir Leslie, in reply to
Mind you, you know exactly who could (would) do what Keith did? Bored, inquisitive, mildly anti-social young men. Where might you find a bunch of them -- oh.
-
BenWilson, in reply to
It seems appropriate to declare this a scandal.
Totally. To ignore testers suggests that a due process was actually overridden, rather than the processes being neglectfully weak in the first place.
-
Juha Saarinen, in reply to
Well... both you and Deborah can turn on your computers, browse the web, post comments on Public Address, etc. That's actually the level of skill required so it is fair to say it was very easy. Think of it as the polar opposite to "secure", as in "totally open".
-
aim,
Keith: If you have not done so already, my suggestion, is to get a good PR firm that understands IT on your side. Otherwise the machine will roll over you, as they will likely rely on the fact that the majority of joe public wont even know what this all means. To them, you might as will be speaking in a foriegn tongue. The machine will use that in their favour to ensure they hang you out to dry as the wrong doer and not the fact that their shared systems are seriously flawed!
-
Craig Ranapia, in reply to
oberSturmbanfuhrer Bennett,
James George: Stop it. Just stop it.
-
Steve Barnes, in reply to
Computers are a bit like cars: most of us know how to use them, many of us know how to do minor things
Thing is though that this is akin to looking in the glove box and finding the contents of everybody else's glove box (ok, so you have to invoke the spacial/time anomalies usually encountered in the Tardis but I'm sure you have a handbag and know about such things)
What I don't understand id why they didn't just use Windows 7, an operating system that not only takes eons to search for files but when you eventually track them down you are not allowed access. Brilliant. -
Bevan Shortridge, in reply to
Keith mentions he could "map any unsecured computer on the network". Which seems (slightly) more than just going to File Open and navigating to network drives?
So the drives/folders weren't just sitting there already mapped under File Open (which anyone could find)? They had to be mapped first (which is slightly more difficult, although not very if you went looking)? I'm slightly confused now.
-
Heather Gaye, in reply to
I understand where you and Deborah are coming from, but I think you're getting confused by jargon, as opposed to what's actually required. This is something that someone could do accidentally. ( edit : ah, had another look, & I'm wrong about this - it'd be quite a stretch to do it accidentally.)
Also, I believe there's an ongoing generational shift (no disrespect intended). I can guarantee that vast swathes of the school-leavers and university graduates that have gone through WINZ since the kiosks were installed will have been capable and inclined to do what Keith did. The most pertinent virtue is a little curiosity, sufficient to override any fear of doing anything wrong (whether that's technically or legally).
-
Saying that you wouldn't know how to do Keith's hack is like saying you don't know that addition is commutative. You just don't know the words, but if I rephrased it as "you know that 1+2 is the same as 2+1, right?", you'd be getting a feel for the level of difficulty involved in accessing the data that Keith exposed.
-
Heather Gaye, in reply to
So the drives/folders weren't just sitting there already mapped under File Open (which anyone could find)?
I thought the same when I read that, but check his first screencap - long list of computers already visible to the network.
-
Deborah, in reply to
Please trust me when I say I don’t know how to do this. Also, I use Macs, so Windows?
Without being too outrageous about this, I’m pretty well educated, and reasonably able to pick things up if I care to pay attention to them. I just don’t care about computer systems and file systems and things like that. Even the word, “dialogue” , as in “Open File dialogue” loses me, because it’s not language I use. Nor is it anything in which I’m at all interested. I just want the damn computer to work, and I expect our IT people to sort stuff for me if it doesn’t.
Even if I used whatever this “Open File dialogue” thing is, if I got a screen looking anything like the pictures that Keith has loaded in his column, I would go, “WTF is that?” and hit the button to go back a page. Because it is Greek (geek?) to me.
So, yes, anyone with more interest in the inner workings of computers and files (and really, what exactly is a “file server”? – I genuinely don’t know, but also, I’m not sure that I actually need to know in order to be able to use my computer)…. anyway, anyone with more interest in the inner workings of computers would undoubtedly be able to read those screenshots in a way that I can’t, and chances are that there are a lot of people who are more interested than me in computers, so there were a lot of people who could go and take a wander through MSD’s files. But I’m not one of them.
Really, please do me the courtesy of taking my word for it when I say that I really don’t understand the inner workings of computers. Nor do I wish to.
-
Martin Lindberg, in reply to
Keith mentions he could "map any unsecured computer on the network". Which seems (slightly) more than just going to File Open and navigating to network drives?
I guess the point is that it could be done by anyone with slightly above average computer skills. How easy or difficult it is to obtain this access are all varying shades of fail.
It should be impossible to do even for a skilled hacker.
-
cant get hold of privacy commision answer phone typical i need to find out if my info was safe or has it been acessed help what do i do
-
I'm intrigued by the fact that MSD use Veda to pursue those "clients" who owe it money. Leaving aside the appalling security issue, are we all happy that MSD is contracting out a core function of Government? SUch a move is tailor-made IMO for security failures at some stage.
-
Glenn Pearce, in reply to
+1 I was just typing more or less the same question
Keith - did your tipoff come from someone with prior knowledge of the MSD IT infrastructure or just a jobseeker who stumbled across this ?
Post your response…
This topic is closed.