I stand corrected Mr Ng, but if you are right that there was only one large unprotected and unaudited national network, rather than hundreds of smaller localised sub-networks, the decision to eschew both auditing and security controls defies belief.
Even back in the early 90's when big departments moved from 'dumb' terminals on a mainframe to 'intelligent' nodes capable of accessing both mainframe and smaller local apps, the idea of hooking all the nodes into one big network would have been kicked outta consideration immediately. Not just from a security standpoint, which even back then would have created opposition, but because local chiefs want to be able to maintain some opacity from centralised oversight or worse, from their peers, rivals on the career ladder. Of course statistical collation and other essential forms of data mining by central authorities, was possible on these local networks, but HQ examination of nuts n bolts required co-operation from the local site.
One network - that makes the call not to insulate kiosks irrational. It would have been relatively simple and inexpensive.
I guess I better read the report.
Sorry to 'daisy chain' but all sorts of ideas are flicking up, not least of which is that we thought at first this was an Active Directory issue. An Active Directory is the method of setting tasks, access and privileges in networks that feature windows server technology, but it may be that winz offices are just conglomerations of independant free-standing PCs with no real control over who acesses what. In other words privacy breaches are the default as every worker can access every other worker's product through shared directories.
@izogi Yeah even the herald report pretty much admitted that the only breaches the report considered were those of Bailey & Ng, with a passing reference to the 'consumer advocate' who warned them last year.
Every Winz regional office (do they still call them that?) would have had their own local area network which was compromised to varying extents depending on what that regional office chose to make available on its LAN. Some may have been more secure than those Bailey and Ng visited and some may have been a whole lot less and opened a door to the 'crown jewels', the national benefits database, even the national identity card database, aka NZ driver's license.
Easy solution Mr Ng, be like winz and play it down. See Deloittes only recommend kicking a few junior IT staff out of their expensive to obtain (if as yet unpaid for) careers.
The poor fuckers who will cop the shellacking will have chosen to ignore the security warnings not from negligence, but for the simple reason that was the only option available to them in circumstances where they were under orders to deliver n kiosks for x dollars.
This report can hardly be described as independant given that a big chunk of Deloitte's revenue comes from Wellington senior public servants' desire for 'outside inquiries' which reliably report that said senior public servants were innocent of all allegations of incompetency and mendacity, further any bad apples were well down the pecking order.
Here we go again. How can I ever explain to those who would rather disagree than consider it possible to simultaneously retain multiple points of view, that hyperbole is a communication style, not a crime.
Incidentally while we're using sports metaphors; how about 'third person in' or whatever the term is for the others who join in a dust up on the paddock? It's rather unsporting this mob targeting eh. Just as well we're all thick skinned.
Still if the wowsers get their way and some sort of 'anti-cyber-bullying' legislation is rammed through parliament (quick nod to NZ's MSM whose determination for regulation of cyber-space is reflected in today's beat up about a cancer survivor being 'cyber-bullied' by a reality TV personage) group mauls of itinerant commenters will be outlawed.
I know I am I not the only human disgusted at the ease with which MSM reduces the character of any person in their sights to a handful of black or white cliches.
Yet here we are arguing the toss over the polite name to call a veteran reporter who behaved appallingly towards another human to further an uninformative and
worthless angle on a story.
How can I bitch about something you'll prolly claim I do myself?
What I posted was an opinion, a remark whose significance is a function of however much weight an individual reader places upon my opinions. The weight of an
institutional media outlet doesn't convert a blog poster's opinion into a universal truth, or 'fact' - unlike the way the story was presented of a security consultant 'outed' as a hacker.
It sounds (to me) rather hollow to claim of having never heard journalists
indulge in their macho-bullshit banter about 'deathknocks', door-stepping & who scooped who, how.
Many of these reporters just don't understand how cynical and ultimately
destructive for their industry their actions are.
Another time the same self serving & exploitative dirtbags will claim their work is buttressing the 'last bastion of democracy'.
Yeah right - pull the other one, we're talking about a mob who knowingly publish
alleged 'leaks' fed to them by politicians.
Often the sources' exposure would be a
bigger story than the self interested smear which the journalist so earnestly rewords.
What I posted was far less vitriolic than the line I considered mid-week comparing Claire Trevett's leak of Keith Ng's source in detail (a 'source' previously unknown to most readers) while protecting her own source (whose identity may be a public figure, if not that, at least a public servant .: public interest) with the Karl Rove managed 'leak' that was the last straw which destroyed the career/credibility of New York Times journalist Judith Miller.
Maybe someone else has run that comparison. Regardless, this namby-pamby critiquing of serious flaws in NZ's MSM is only serving to promulgate the
sickness stemming outta too few journos crowded into too small a space, tip-toeing around each other's failings while they deceitfully lambast outsiders.
Yes, I will cast aspersions on a human who pulls the type of stroke that this
lowlife pulled on Keith Ng.
I know neither personally - just their work & from judging them in the light of
their work, IMO considering that particular journalist to be a duplicitous scumbag is pretty mild.
It seems to me, in extreme cases journalism is like law enforcementism, a type of definable personality disorder. Perhaps another time when the sun isn't shining so brightly or spring in the air, I'll try to explain this.
(apologies 4 awful spacing a result of incorrect text editing)
I'd be the last person to want to protect the sleazebags who comprise NZ's media, reporters or the self-appointed commentariat, but it seems to me that there is a big gulf here between what many posters are asking journalists to be and what is actually possible out there in the 'real world'.
I hate to go all metaphysical on a Sunday morning, reality is a subjective beast. It isn't just readers of fishwraps who struggle with that. Anyone who has had to have a position argued for them by a barrister in a court of law, knows how negligible the chances are of lawyers seeing an issue from the same perspective as their client, and then presenting that perspective properly to the court.
We know this from sitting at our keyboards trying to convert our thoughts into intelligible sentences that properly convey reasoning that is internally easily comprehensible, yet sometimes impossible to articulate.
This is why it is always bad to talk to a media person or a policeman, you never know the frame of reference the other person is entering the situation from. Worse you are putting yourself in a position that is thoroughly unfamiliar to you, but is not so for the other, who makes his/her living by being successful at these interactions therefore knows exactly how to play the scene out.
Keith's error was in falling for this duplicitous scumbag's ploy that the two of 'em were just engaging in a bit of journalistic collegial mutual assistance, when clearly as far as the scumbag was concerned she was on a story and Keith was just another potential target to be burned if her job required it.
Surely those of you who have spent time with journalists out on the piss have heard the appalling way that the hacks regard everyone who isn't one of 'them'; how they delight in dragging out old war stories about deceiving 'targets or sources' into saying something the person didn't want to say, but which suited the angle the journo was running.
I know I have, and I find it sickening but that is the reality of competitive capitalist media enterprise.
The sooner everyone wakes up and realises this, the sooner the model will die in the water. Why? Because by refusing to engage with this scum, we leave them stuck for stories, relying entirely on press releases and other forms of dictaphone journalism. Yes that is pretty dystopian, a world dominated by paid for voices, but only in the short term.
Press releases and associated attempts at beat-ups do fill up space on newspapers & the prison camp style controlled web-sites which msm maintain to flog their real-estate listings, but the public hates them and is leaving the mainstream outlets in droves.
And not just because as the sleazebags would have, that people prefer to get their news for free (the cost of a fishwrap barely registers for most of us), but because the content is so boring and predictable.
Its a sense of habit which leads me traipse around the various media sites daily, but I find myself spending less and less time on them because they are just great cess pools of poorly informed scum seasoned with lashings of popular prejudice. As I said before we're individuals with subjective views of the world - all of us, and the more that mainstream media try to appeal to their readers with a transparent lowest common denominator outlook on a reality that is taking place in the news consumers back-yards, the more readers they are going to lose.
Well you're correct of course but that won't be how scumbag politicians and their paid liar lickspittles will paint it.
We have seen with ACC, then Kim whatshisname, that a favourite wellington media handler's ploy is to insinuate the victim is just trying to screw 'the innocent kiwi taxpayer'.
In Kim whathisname's case there has been absolutely zilch evidence that he plans on doing any such thing; that hasn't prevented the nat fanbois posing as journos on the herald et al from running stories about "How much Dotcom could sue us for".
I really feel for your source who has just got past one extended round of media/pol bashing, cause now another round is pretty much inevitable.
'we' or 'us' the humans who live in NZ should pay close attention to what happens and make sure we store away the name rank and serial numbers of those journos who buy into any such twisted nat slippery as an eel scam.
Freedom of the press should never extend to carte blanche freedom to twist reality to suit a self interested outcome.
Oh well chins up & remember what guru Malcolm said on Saturday:
"The look we're going for is solemn respect, like blokes modelling underpants."
Umm 5000 files eh. Ahhh. . . what format did these files use and how much space did 5000 of 'em take up?
So far there have been 3 potential sidesteps put out by the paid liars in obs. Bennett's office.
(i) The 'anonymous defence'. That it was a complex hack requiring highly trained 'scriptkiddies' (yes oxymoron intentional) to get at the meaningless data.
(ii) The 'ACC smear' That the publication of this is actually payback for a failed blackmail attempt.
(iii) The 'it was the other fella' or trad def 'duck shoving' ploy. This one most likely came from the MSD secretariat. Blame the consultants, after all that is what they get the big bucks for; carrying the can when you're in more shit than a Mangere duck.
There will be other worm squirms floated out on the periphery. After a day or so of seeing which one copped the salute after it was 'run up the flag pole', obs Bennett and M.F. Key will select one & reduce it down to a sound bite then spread it out thicker than muck on a cowshed floor.
Well the chances of the national client database being implemented in M$ sql are slim to none. Much more likely that MSD would have hired contractors to design and build their own system and the contractors hired someone who had been involved in the design and build of a similar system in oz or england.
A domain admin level logon could cause problems but whoever used it would not only need the physical access to the network someone else has already referred to they would also need to be be pretty familiar with MSD protocols and systems if they intended doing much more than the usual 'anonymous was here' stuff without detection.