OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 … 20 21 22 23 24 … 26 Newer→ Last
-
Steve Barnes, in reply to
Please don’t bring her here
You don't feel like some sport?
:-)
Thinks... fish in barrel -
Sacha, in reply to
not in a serious thread, thanks
-
Hello, is anyone listening to Parliament. Why do people (Paula Bennett etc) say "vunnerable" instead of "volnerable". Jacinda Adern seems to be doing a bit of both. I've looked up and listened to online dictionaries - so far all say "volnerable".
-
Sam F, in reply to
My bad for introducing the whole mess.
-
Sacha, in reply to
nah, we're good #fingerscrossed
-
-
Matthew Poole, in reply to
-
Jeremy Andrew, in reply to
Please don't bring her here
If you look in a mirror, and say her name three times...
-
Hi all,
I'm living away from NZ and am late to this news. Firstly, it's of course shocking and great work Kieth for uncovering it.
There are now 22 pages of comments and I am not going to wade through them but I guess someone has already asked some questions I have in mind and also got some good answers. Can someone help me here please?
This security breach seems to have been going on for some time. Kieth also needed some time to document the degree of the breach - the kinds of information that was available etc. And as Kieth has demonstrated some of it is very personal information about very vulnerable people and sensitive situations. I understand that Kieth took one week to research and release his findings. Even if the breach had already been going on for some time it seems to me that one week is a long time to knowingly keep very sensitive information unprotected.
I'm all for holding those responsible to account and for exposing the severity of the breach, but it seems to me that protecting the vulnerable should be a slightly higher priority from a public interest point of view.
Did I understand correctly? Did anyone discuss these issues?
Thanks!
-
I see the Greater Manchester Police have been fined for shoddy data handling (2nd offence)
article -
Sacha, in reply to
that's what worries me :)
-
Sacha, in reply to
Did anyone discuss these issues?
The shooting of the messenger? Yes, all over the right wing blogs, sir.
-
Matthew Poole, in reply to
Even if the breach had already been going on for some time it seems to me that one week is a long time to knowingly keep very sensitive information unprotected.
The breach is roughly two years old, dating back to when the kiosks were installed. One week is neither here nor there.
As for taking the time, if Keith hadn't documented so thoroughly it's entirely likely that his concerns would've been dismissed. After all, as it has turned out MSD were informed in April 2011 that this flaw existed. And they did nothing. Without solid evidence of the scale what makes you think anything would've changed? Keith wanted the scoop, sure, but government departments aren't known for their swift action in the absence of a blazing public fire.
-
David Chittenden, in reply to
Thanks Matthew. 2 f***'n years! OK. That makes complete sense ...
-
David Chittenden, in reply to
The shooting of the messenger? Yes, all over the right wing blogs, sir.
Oh, I can imagine. Thanks
-
Matthew Poole, in reply to
Keith didn't know it had been that long when he started (nor did anyone else, except the security testers and whoever ignored their recommendations), but the kiosks were big news when they arrived so he probably had some vague suspicion that this wasn't a hole that had appeared within the past few months.
-
Did I understand correctly? Did anyone discuss these issues?
Keith's laptop was a more secure place to have this information than the kiosks. The only thing that was as insecure was probably his memory stick. And he probably tried not to leave that lying around in public areas, unlike the MSD.
-
Matthew Poole, in reply to
I think David's concern was more that Keith didn't give MSD a prompt heads-up, meaning the window of opportunity for others to exploit the weakness remained open for longer than might've been necessary. In the context of two years, though, a week is nothing.
-
http://tvnz.co.nz/national-news/hacking-teacher-employed-winz-s-company-5136805
Bloody hell. They could generated electricity from that much spinning. -
Daniel Craig, in reply to
If Craig is right, he and a conference of hackers can break into Winz kiosks in less than two minutes.
No Paula. Average user, with the barest minimum technical skill, from the street can "break" into the MSD internal network. Hacking the kiosks was never required.
The entire MSD infrastructure stack has to be considered compromised at this point, and in the immortal words of Ellen Ripley...
-
Well Mathew, THAT kind of guy is worth $450 / hour. Or at least equal to one of those $500k+ ACC overpaid bods. Just have to keep him happy and on the right side.
-
Daniel Craig, in reply to
Nah, sorry, removed the link. I don't think I really want us joining the game here.
Yep, no worries. She's infected me and I can't help but propagate her hambeastery.
-
Russell Clarke, in reply to
The breach is roughly two years old, dating back to when the kiosks were installed. One week is neither here nor there.
The vulnerability may have existed for 2 years but that doesn't mean that people have been taking advantage of it since then. Or ever (until now).
-
Russell Brown, in reply to
http://tvnz.co.nz/national-news/hacking-teacher-employed-winz-s-company-5136805
Bloody hell. They could generated electricity from that much spinning.If that story is the result of a tip from the ministry side, things are getting very shabby indeed.
-
Kumara Republic, in reply to
If that story is the result of a tip from the ministry side, things are getting very shabby indeed.
The sound of an organisation trying to save both its arse and its face at once.
Post your response…
This topic is closed.