OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 … 14 15 16 17 18 … 26 Newer→ Last
-
Katita, in reply to
I work in IT, and yes this situation is FUBAR wide and deep. But when working on systems implementations you generally write requirements ... and where do those requirements come from? The business whose problem you are solving. Someone would have accessed and 'solved' the security considerations; maybe these items were given lower priority or put out of scope due to time or money ... again this would have been a business call.
Of course the breach is massive and sickening ... but to re-iterate what others have said, this isn't an IT issue. It's systemic, cultural and pervasive in MSD.
About 100 years ago I worked in the front office of an alcohol and drug counselling service. This was back in the day (almost) pre-computer. We double-locked all client files, never gave out client information on the phone, used first names only, shredded any document containing client data. The storage mechanism is secondary, either you understand what confidential information is and how to treat it or you don't. Apparently MSD don't. -
Katita, in reply to
have accessed and
... 'assessed'
-
Keith got $4000???
Bloody bludger!!!
-
I think he prefers the term "busker" ...
-
Andrew C, in reply to
“Ministry chief executive Brendan Boyle says private company Dimension Data was hired to test the security of the kiosks prior to Mr Ng’s experience and reported no problems.” RadNZ
There was a little more to his statement than just this. He also said that he had yet to verify exactly what they had tasked Dimension Data to check.
-
Sam F, in reply to
Checked Kiwiblog (for my sins) and pleasingly most people were quite happy with Keith's work - only the one huffy type who told DPF he didn't give money to "socialist losers" voluntarily. You can't please them all...
-
Sacha, in reply to
The storage mechanism is secondary, either you understand what confidential information is and how to treat it or you don't.
+1
-
Kumara Republic, in reply to
Let’s shoot the messenger instead.
-
Sacha, in reply to
'data-busker' has a certain ring to it
-
merc,
I wonder if when they took the kiosks offline they bumped up staff numbers to cope? I also wonder if they have drawn up a plan?
I also wonder if this is the straw that gets the PM to the booths early. On so many fronts finally anyone can see this Govt. is woefully broken.
Oh and suing, surely there is a contract WINZ have broken?
Is this the death knell for corporatism? Has anyone considered how totally undemocratic it is? -
Breaking news, from Mr Boyle:.
Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data’s recommendations on security.
IOW, the testers found things and were ignored.
-
Matthew Poole, in reply to
I wonder if when they took the kiosks offline they bumped up staff numbers to cope?
Herald article I saw yesterday said that wasn't going to be happening.
-
merc, in reply to
Herald article I saw yesterday said that wasn't going to be happening.
Their basic duty of care is repulsive. It may be time for a charter, between us and Govt. Our democracy is broken, IMO.
I blame the CEO model, squarely. -
And this, which is even more explicit that the testers found things and reported them, and there was a failure to follow through on what was reported.
-
Matthew Poole, in reply to
Their basic duty of care
aha. haha. hahahahahahahahaha.
-
Martin Lindberg, in reply to
And this, which is even more explicit that the testers found things and reported them, and there was a failure to follow through on what was reported.
That seems more likely. I've engaged with Dimension Data (or rather, their subsidiary SecurityAssessment.com) a number of times and I really don't believe they would have missed a security-issue like this.
-
John Holley, in reply to
Especially as I think it was one of their staff who spoke at Defcon last year on hacking into kiosks!
-
Russell Clarke, in reply to
... and where do those requirements come from? The business whose problem you are solving. Someone would have accessed and 'solved' the security considerations; maybe these items were given lower priority or put out of scope due to time or money ... again this would have been a business call.
I cringe when I hear of people blaming the business for the requirements. As a technology consultant who does a lot of requirements work, I'm working with the business to add value, not just to scribe ill-thought out blue sky wish lists.
Good business analysis consulting is about helping the business realise what they don't understand about technology, uncovering things they haven't considered, challenging their assumptions and highlight risks and issues, and persuading them to do things the right way.
Such risks include security, or lack thereof.
Perhaps the business did indeed treat this as a low priority, but I would expect any savvy technology partner to be raising their hands and shouting about this to the governance stakeholders, and saying it's not acceptable.
Saying 'we were just following orders' is a cop-out.
-
merc, in reply to
Their basic duty of care...
aha. haha. hahahahahahahahaha.
I am fairly sure they have a legal one. Otherwise we are screwed.
-
Kumara Republic, in reply to
Their basic duty of care is repulsive. It may be time for a charter, between us and Govt. Our democracy is broken, IMO.
I blame the CEO model, squarely.Are we seeing the mirror-flip of the British Winter of Discontent?
-
Matthew Poole, in reply to
Perhaps the business did indeed treat this as a low priority, but I would expect any savvy technology partner to be raising their hands and shouting about this to the governance stakeholders, and saying it’s not acceptable.
Saying ‘we were just following orders’ is a cop-out.
In the current political environment regarding privacy of client information, are you at all doubtful that this could've been ignored by those at the governance level? Particularly if the report from S-A was jargon-heavy and could be dismissed as "someone's got an over-active imagination. None of our clients are that smart."
-
I know everyone is pretty much focusing on the privacy breach - and it is huge. But the more I think about this the more I agree with Matthew Poole (good piece on RNZ btw).
The bigger story here is the biggest security breach in NZ Govt history. Quite frankly we should be assuming that any of the information that was accessible from the kiosk (and Keith only took a small fraction), is 100% compromised and quite possibly in the hands of a foreign interests. (the security hole has been there for months)
The cascade effect from WINZ->MSD->the rest of Govt e.g. CERA, DIA etc., is something we need to highlight. It might all come to nothing but, as Matthew said, we have to assume the entire WINZ network (and networks with trust relationships) could have been/was compromised.
The mind boggles on the potential level of exposure we face.
-
Sacha, in reply to
Perhaps the business did indeed treat this as a low priority, but I would expect any savvy technology partner to be raising their hands and shouting about this to the governance stakeholders, and saying it's not acceptable.
Saying 'we were just following orders' is a cop-out.
It reflects the culture of this government perfectly - a testament to the professionalism of our public servants, ironically. This is where ignoring experts and the public in favour of faith-based 'decisiveness' takes us.
-
-
merc, in reply to
Hehe, I doubt it, but I note that the legal responsibilities of Govt. are never discussed in context with systemic failures.
It would appear we have no legal right of redress in such instances. Pretty glaring hole in our democracy wouldn't you say?
Post your response…
This topic is closed.