OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 … 7 8 9 10 11 … 26 Newer→ Last
-
-
Sacha, in reply to
They will push Paula Bennett if it is required to keep National in government
Won't happen. CEO on the other hand..
May actually be used to beef up powers of Work and Income's new Rebstock-headed oversight 'Board' if the opposition don't follow this up carefully.
-
Andrew Elphick, in reply to
Yes indeed I am also weary that Data matching from IRD could have been accessible during this time
-
Rich of Observationz, in reply to
Or they pay market rates for new hires (because otherwise they get zero qualified candidates and wind up reliant on contractors) and then never give rises because "times are tough". So the only way to get a pay rise is to leave. That's fairly endemic.
Also, the public sector has always paid a bit lower, but with the advantage of job security and feeling one benefits society. When the job securities gone and the purpose of the Minister in charge is basically to damage people's lives, that kind of goes away.
-
Craig Ranapia, in reply to
Craig, I understand this is a hideous start to the week for you, and I wouldn’t contribute to PA if I wasn’t thought-provoked and disagreed with. How about about we call a truce and discuss rather than snark?
Fair call - but you know what? There's going to be plenty of political fall out for the Minister. There should be, and it goes with the ministerial warrant, so Paula Bennett is going to have to suck it up and deal.
But I'm a damn sight more angry at the people who directly failed in what should be an absolutely fundamental duty of care to people in the same position today as Emma and her Mum. To people like my foster brother and his wife, who are currently in the middle of adopting -- an incredibly tough process on all parties without wondering if some cyber-perv had their details on a USB stick.
Plenty of lashing to go around, but I've got to admit calling for Paula Bennett's resignation? Not top of my to-do list at the moment.
-
Hebe, in reply to
A public-sector CEO suit doesn't have the same public opinion value as a Minister approaching their Best Before date when one must be seen to be dealing to a problem.
-
Stephen Judd, in reply to
calling for Paula Bennett’s resignation? Not top of my to-do list at the moment.
Will you rewrite your list if it turns out she was warned?
-
Craig Ranapia, in reply to
Stranger things have happened.
-
Hebe, in reply to
I'm a damn sight more angry at the people who directly failed in what should be an absolutely fundamental duty of care to people in the same position today as Emma and her Mum.
Totally agree, and that is where attention must be focused. And the possibility of information being edited by third parties: astounding.
Cera access worries me a whole lot less: we have been wanting open government in Christchurch for some time.
-
Keith mentions he could “map any unsecured computer on the network”. Which seems (slightly) more than just going to File Open and navigating to network drives?
Yes. But mapping is just a way of taking a server that you access frequently on the local network (any one of the computers on that list), and making a virtual link to it. So instead of going to Network Places > ServerName >FolderName > SubFolder you can just access it like it's your local hard drive on your computer. So it's a matter of convenience for future access, not required to have access at all - anyone can navigate through the network places folder.
Also, hearing that the files were writeable (editable).
Yes. Though they're pdf files so probably not editable on the machine as that requires specialist software. Whether you can overwrite a file with a pdf that you've brought in...? I'd struggle to think how you could do that from within the microsoft office open file dialogue box.
-
Sue,
thank you keith
from a personal perspective i'm shocked my info is possibly that accessible.
But i'm not one of the countries most vunerable people who needs all the protection and secruity and a place they cant live without fear.
I also wonder how much info there is about the Benfit fraud investigation teams.
Fact of life there are some people who do intentionally engage in bennfit fraud and some of those people are not nice and you wouldn't want them knowing where you live. And people in the investigation teams go to very long lenths to keep thei identities out of the public to protect their homes and families. Is their info out there? -
izogi, in reply to
Basically, not very difficult for someone with slightly extended knowledge of computers on enterprise networks. Possibly even less, because someone could inadvertently bring up that dialogue in Word and start clicking around from curiosity.
I totally agree. I know countless people, IT-background and not, who'd be able to pull this off easily, and many of whom would stumble on it accidentally because they like poking things, especially when a locked-down machine also prevents them from doing something they consider trivial and completely normal. (When computers give you 10 ways to do something, it's natural for some to try method B when method A doesn't work.)
The discussion here about some people's technical ability to figure this out is beside the point. It's the people who can do it who should worry everyone, and whatever one's ability to understand Keith's descriptions, it's definitely not tricky or obscure stuff. Most people wouldn't abuse it, but it only takes one, and there are some really basic chain screwups here on WINZ's part which have allowed it. (Firewall in the wrong place, account permissions, lack of effective testing, failure to respond to reports a year ago of the problems, etc etc.)
-
snikch, in reply to
Yea, you'd probably have to crack out the 'Save as' file dialogue box for that one.
-
Sacha, in reply to
Cera access worries me a whole lot less: we have been wanting open government in Christchurch for some time.
Heh
-
David Hood, in reply to
I’d struggle to think how you could do that from within the microsoft office open file dialogue box.
Trivia point, but a big selling point of Word 2013 is that they can open and edit PDFs (not that I am suggesting the Kiosks were using this version). More generally, I can think of a couple of ways, but we are getting into pretty technical "depends on the kind of PDF and how far you want to edit it" might or might not work uncertainties.
-
James George, in reply to
Altho I am amazed at what you can do in windows browse boxes. Unless someone has been all UAC or AD, pasting into em frequently works.
-
I’m still appalled that these kiosks weren’t set up as “kiosk-style” machines, of which there are copious examples around the place, with accounts that are basically “guest” accounts (assuming they need to be in the Windows security domain for other reasons).
Yeah. Presumably they have access to the MSD network for printing, you'd struggle to think of another reason why they'd need access beyond internet access - plenty of stuff on the various web sites with forms, jobs etc.
Yea, you’d probably have to crack out the ‘Save as’ file dialogue box for that one.
Probably not from word, which wouldn't do that for pdfs yet. If they have adobe on the machines that could be possible.
Also note this screen shot of the WINZ site taken a couple of minutes ago:
Current News [...]
Don't give too much away
09 October 2012
Find out how to keep your information safe so you don't become a victim of identity theft -
Keir Leslie, in reply to
I am just presuming here, but my money would be on privilege escalation being pretty much trivial on these machines. The worrying thing is that it seems like you pretty much wouldn't need to...
-
Yes. If the admin passwords and VM information then there's a whole heap more damage that could be done for anyone with decent IT admin knowledge.
-
Martin Lindberg, in reply to
I'd struggle to think how you could do that from within the microsoft office open file dialogue box.
No problem. Just drop a file with the same name into the open file dialogue box. Microsoft has effectively turned that dialogue box into a slim file-manager.
-
James George, in reply to
I just tested out pasting a pdf into Word open file browse box on my domestic lan (pretty much just windows default settings) and managed to drop a PDF on another machine. It appeared to be invisible until I changed the file type from docx to *.*.
-
Sacha, in reply to
Just drop a file with the same name into the open file dialogue box. Microsoft has effectively turned that dialogue box into a slim file-manager
True. I recall keyboard shortcuts working there in the past too.
-
Andre Alessi, in reply to
Leaving aside the appalling security issue, are we all happy that MSD is contracting out a core function of Government?
Given that a private contractor with a less than stellar track record internationally (G4S) is responsible for monitoring people on home detention, I think the Veda link is small potatoes in comparison.
-
cognitive_hazard, in reply to
At least they installed font updates on the WINZ kiosks, Ironic Sans if I'm not mistaken?
-
niceness, in reply to
Hi Chris, I am intrested in your claim that most of the fraud is committed by MSD staff. Thats a biggie and if i'ts true it needs to be publicised for the sake of all genuinely stuggling beneficiaries out there.
Post your response…
This topic is closed.