OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 20 21 22 23 24 26 Newer→ Last

  • Steve Barnes, in reply to Sacha,

    Please don’t bring her here

    You don't feel like some sport?
    :-)
    Thinks... fish in barrel

    Peria • Since Dec 2006 • 5521 posts Report

  • Sacha, in reply to Steve Barnes,

    not in a serious thread, thanks

    Ak • Since May 2008 • 19745 posts Report

  • Cecelia,

    Hello, is anyone listening to Parliament. Why do people (Paula Bennett etc) say "vunnerable" instead of "volnerable". Jacinda Adern seems to be doing a bit of both. I've looked up and listened to online dictionaries - so far all say "volnerable".

    Hibiscus Coast • Since Apr 2008 • 559 posts Report

  • Sam F, in reply to Sacha,

    My bad for introducing the whole mess.

    Auckland • Since Nov 2006 • 1611 posts Report

  • Sacha, in reply to Sam F,

    nah, we're good #fingerscrossed

    Ak • Since May 2008 • 19745 posts Report

  • Martin Lindberg,

    Attachment

    almost Friday...

    Stockholm • Since Jul 2009 • 802 posts Report

  • Matthew Poole, in reply to Martin Lindberg,

    Auckland • Since Mar 2007 • 4097 posts Report

  • Jeremy Andrew, in reply to Sacha,

    Please don't bring her here

    If you look in a mirror, and say her name three times...

    Hamiltron - City of the F… • Since Nov 2006 • 900 posts Report

  • David Chittenden,

    Hi all,

    I'm living away from NZ and am late to this news. Firstly, it's of course shocking and great work Kieth for uncovering it.

    There are now 22 pages of comments and I am not going to wade through them but I guess someone has already asked some questions I have in mind and also got some good answers. Can someone help me here please?

    This security breach seems to have been going on for some time. Kieth also needed some time to document the degree of the breach - the kinds of information that was available etc. And as Kieth has demonstrated some of it is very personal information about very vulnerable people and sensitive situations. I understand that Kieth took one week to research and release his findings. Even if the breach had already been going on for some time it seems to me that one week is a long time to knowingly keep very sensitive information unprotected.

    I'm all for holding those responsible to account and for exposing the severity of the breach, but it seems to me that protecting the vulnerable should be a slightly higher priority from a public interest point of view.

    Did I understand correctly? Did anyone discuss these issues?

    Thanks!

    Since May 2011 • 31 posts Report

  • David Hood,

    I see the Greater Manchester Police have been fined for shoddy data handling (2nd offence)
    article

    Dunedin • Since May 2007 • 1445 posts Report

  • Sacha, in reply to Jeremy Andrew,

    that's what worries me :)

    Ak • Since May 2008 • 19745 posts Report

  • Sacha, in reply to David Chittenden,

    Did anyone discuss these issues?

    The shooting of the messenger? Yes, all over the right wing blogs, sir.

    Ak • Since May 2008 • 19745 posts Report

  • Matthew Poole, in reply to David Chittenden,

    Even if the breach had already been going on for some time it seems to me that one week is a long time to knowingly keep very sensitive information unprotected.

    The breach is roughly two years old, dating back to when the kiosks were installed. One week is neither here nor there.

    As for taking the time, if Keith hadn't documented so thoroughly it's entirely likely that his concerns would've been dismissed. After all, as it has turned out MSD were informed in April 2011 that this flaw existed. And they did nothing. Without solid evidence of the scale what makes you think anything would've changed? Keith wanted the scoop, sure, but government departments aren't known for their swift action in the absence of a blazing public fire.

    Auckland • Since Mar 2007 • 4097 posts Report

  • David Chittenden, in reply to Matthew Poole,

    Thanks Matthew. 2 f***'n years! OK. That makes complete sense ...

    Since May 2011 • 31 posts Report

  • David Chittenden, in reply to Sacha,

    The shooting of the messenger? Yes, all over the right wing blogs, sir.

    Oh, I can imagine. Thanks

    Since May 2011 • 31 posts Report

  • Matthew Poole, in reply to David Chittenden,

    Keith didn't know it had been that long when he started (nor did anyone else, except the security testers and whoever ignored their recommendations), but the kiosks were big news when they arrived so he probably had some vague suspicion that this wasn't a hole that had appeared within the past few months.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Kyle Matthews,

    Did I understand correctly? Did anyone discuss these issues?

    Keith's laptop was a more secure place to have this information than the kiosks. The only thing that was as insecure was probably his memory stick. And he probably tried not to leave that lying around in public areas, unlike the MSD.

    Since Nov 2006 • 6243 posts Report

  • Matthew Poole, in reply to Kyle Matthews,

    I think David's concern was more that Keith didn't give MSD a prompt heads-up, meaning the window of opportunity for others to exploit the weakness remained open for longer than might've been necessary. In the context of two years, though, a week is nothing.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Matthew Poole,

    http://tvnz.co.nz/national-news/hacking-teacher-employed-winz-s-company-5136805
    Bloody hell. They could generated electricity from that much spinning.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Daniel Craig, in reply to Matthew Poole,

    If Craig is right, he and a conference of hackers can break into Winz kiosks in less than two minutes.

    No Paula. Average user, with the barest minimum technical skill, from the street can "break" into the MSD internal network. Hacking the kiosks was never required.

    The entire MSD infrastructure stack has to be considered compromised at this point, and in the immortal words of Ellen Ripley...

    Wellington • Since Oct 2012 • 3 posts Report

  • Ross Mason,

    Well Mathew, THAT kind of guy is worth $450 / hour. Or at least equal to one of those $500k+ ACC overpaid bods. Just have to keep him happy and on the right side.

    Upper Hutt • Since Jun 2007 • 1590 posts Report

  • Daniel Craig, in reply to Russell Brown,

    Nah, sorry, removed the link. I don't think I really want us joining the game here.

    Yep, no worries. She's infected me and I can't help but propagate her hambeastery.

    Wellington • Since Oct 2012 • 3 posts Report

  • Russell Clarke, in reply to Matthew Poole,

    The breach is roughly two years old, dating back to when the kiosks were installed. One week is neither here nor there.

    The vulnerability may have existed for 2 years but that doesn't mean that people have been taking advantage of it since then. Or ever (until now).

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report

  • Russell Brown, in reply to Matthew Poole,

    http://tvnz.co.nz/national-news/hacking-teacher-employed-winz-s-company-5136805
    Bloody hell. They could generated electricity from that much spinning.

    If that story is the result of a tip from the ministry side, things are getting very shabby indeed.

    Auckland • Since Nov 2006 • 22850 posts Report

  • Kumara Republic, in reply to Russell Brown,

    If that story is the result of a tip from the ministry side, things are getting very shabby indeed.

    The sound of an organisation trying to save both its arse and its face at once.

    The southernmost capital … • Since Nov 2006 • 5446 posts Report

First ←Older Page 1 20 21 22 23 24 26 Newer→ Last

Post your response…

This topic is closed.