Posts by Keith Ng
Last ←Newer Page 1 2 3 4 5 Older→ First
-
OnPoint: #WTFMSD: "Damning", in reply to Matthew Poole,
That looks pretty damned searchable to me, if one had a spot of inside info.
Those file names were from the case files server logs. The case file server itself was inaccessible. Most of my grabs were from the invoice server, which was unsorted and unnamed.
-
OnPoint: #WTFMSD: "Damning", in reply to Idiot Savant,
That would certainly get you mass-downloads. But it wouldn't e.g. spot a debt-collector using a kiosk to access information on a few people they were looking for.
Can't. They were scanned PDFs with no metadata and sequential file names. It is impossible to look for anything. Scouring for personal information is possible, but you'd need to sort them by hand or OCR them first, which would require a data dump.
-
OnPoint: #WTFMSD: "Damning", in reply to nzlemming,
Did they identify your downloads? And from that, which files you accessed?
Yes (I think).
-
OnPoint: #WTFMSD: "Damning", in reply to James George,
Every Winz regional office (do they still call them that?) would have had their own local area network which was compromised to varying extents depending on what that regional office chose to make available on its LAN.
My understanding is that all the computers were connected on a single, national, corporate network.
-
OnPoint: #WTFMSD: "Damning", in reply to Idiot Savant,
The Deloittes report makes it clear that there's no auditing or logging. So their claim that there were no other breaches is pulled from their arse. I wonder how much they got paid for that?
My understanding is that there's no audit trail to determine *who* accessed information, but that there *were* network logs. Boyle talked about not finding any "download patterns" - i.e. People leeching large volumes of data, like I did. That seems like a reasonable way to detect intrusion, unless it was someone who covered their own tracks (in which case no audit trail would help).
-
OnPoint: #WTFMSD: "Damning", in reply to John Holley,
The report focuses on privacy when the bigger whole of government issue is the potential cascade of security breaches. The analysis of this seems to be entirely missing.
It's true. Not a conspiracy though - I just don't know what the story is. With the invoices, I can tell you how many invoices are contained on the servers, what they contained and what significance it has.
But the security context? True, it has the potential to compromise everything everywhere. But there are probably vulnerabilities elsewhere that has the same potential. The consequences are somewhere between nothing and everything, and I don't know what to do with that.
-
OnPoint: H4x0rs and You, in reply to Lilith __,
But surely if Keith hadn't sighted the files, he wouldn't know they were confidential, and if he hadn't copied them, he would've had no proof. There would have been no story. And the MSD security hole would remain wide open.
I've been meaning to clarify that point. It's come up elsewhere. It was not possible (or practical) to view the PDFs on the computer. If I didn't spend three days reading invoices, I couldn't have known what was in there. For every damning one containing sensitive information, there were a dozen invoices for milk and sausage rolls.
It wasn't enough to establish that there were *some* sensitive information somewhere on those servers, I had to establish *what* the nature of that sensitive information was. And there was a broad range of it. That was why I needed to go through so damn many, and that in turn was why I had to download them.
-
OnPoint: H4x0rs and You, in reply to john Drinnan,
Good thing about this blog is it removes blogger suggestion Paul Craig was fed to TVNZ by authorities. HDPA and Patrick Gower are both very solid journalists - and I wouldn't imagine they would use the term shit to describe your work
Ahem. "Sanctimonious bore", I believe, were the words Gower used to describe me when I suggested that he got it wrong. I'd argue that "shit" is no more aggressive than that.
Also: He got it wrong. Really wrong.
He bought the story he received by anonymous email - that Murray McCully was the victim of systemic hacking by a Russian group out to steal military secrets. It was a ludicrous thing to believe and to report for the reasons I described in my post. And, as it transpired, he was proven to be wrong.
He reported something which was wrong, and which would not have been plausible to someone with reasonable background knowledge. I think I'm on solid grounds to call that shit reporting.
I wouldn't go nearly as far with HDPA, but it's still a bit shit. We've been on friendly terms for most of the MSD story, but hey: without fear or favour, right? It's not personal, but she really didn't understand a lot of background and context. Treating Paul Craig as if he was a blackhat, or malicious hacker, or underground, or illegal or illegitimate is completely wrong. He is a professional security expert - they are also called hackers. Failing to distinguishing between the professional, legal hackers and malicious, criminal hackers is a serious failure.
Also, in my own defence, I'm not getting uppity because I broke a good story this week. I am being as much of a dick about the MSM this week as I have been for the past seven years.
-
OnPoint: H4x0rs and You, in reply to Russell Brown,
So what's your guess on whether anyone else suggested that dipshit misguided angle on Paul Craig to Heather Du Pleissis-Allan? Or did she come up with it on her own?
I suspect it's her own.
-
OnPoint: The Source, in reply to Trevor Nicholls,
By the way, do you know how much effort it takes to have a serious conversation with a government department?!
Well I could tell you how much money it *costs* to have a conversation with a government department... except the Privacy Commissioner would waterboard me.