OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 14 15 16 17 18 26 Newer→ Last

  • Katita, in reply to Bart Janssen,

    I work in IT, and yes this situation is FUBAR wide and deep. But when working on systems implementations you generally write requirements ... and where do those requirements come from? The business whose problem you are solving. Someone would have accessed and 'solved' the security considerations; maybe these items were given lower priority or put out of scope due to time or money ... again this would have been a business call.
    Of course the breach is massive and sickening ... but to re-iterate what others have said, this isn't an IT issue. It's systemic, cultural and pervasive in MSD.
    About 100 years ago I worked in the front office of an alcohol and drug counselling service. This was back in the day (almost) pre-computer. We double-locked all client files, never gave out client information on the phone, used first names only, shredded any document containing client data. The storage mechanism is secondary, either you understand what confidential information is and how to treat it or you don't. Apparently MSD don't.

    Auckland • Since Nov 2006 • 65 posts Report Reply

  • Katita, in reply to Katita,

    have accessed and

    ... 'assessed'

    Auckland • Since Nov 2006 • 65 posts Report Reply

  • Ross Mason,

    Keith got $4000???

    Bloody bludger!!!

    Upper Hutt • Since Jun 2007 • 1588 posts Report Reply

  • Brent Jackson,

    I think he prefers the term "busker" ...

    Auckland • Since Nov 2006 • 614 posts Report Reply

  • Andrew C, in reply to duke,

    “Ministry chief executive Brendan Boyle says private company Dimension Data was hired to test the security of the kiosks prior to Mr Ng’s experience and reported no problems.” RadNZ

    There was a little more to his statement than just this. He also said that he had yet to verify exactly what they had tasked Dimension Data to check.

    Auckland • Since May 2008 • 167 posts Report Reply

  • Sam F, in reply to Ross Mason,

    Checked Kiwiblog (for my sins) and pleasingly most people were quite happy with Keith's work - only the one huffy type who told DPF he didn't give money to "socialist losers" voluntarily. You can't please them all...

    Auckland • Since Nov 2006 • 1609 posts Report Reply

  • Sacha, in reply to Katita,

    The storage mechanism is secondary, either you understand what confidential information is and how to treat it or you don't.

    +1

    Ak • Since May 2008 • 19686 posts Report Reply

  • Kumara Republic, in reply to Sofie Bribiesca,

    Let’s shoot the messenger instead.

    Shoot the messenger, indeed.

    The southernmost capital … • Since Nov 2006 • 5418 posts Report Reply

  • Sacha, in reply to Brent Jackson,

    'data-busker' has a certain ring to it

    Ak • Since May 2008 • 19686 posts Report Reply

  • merc,

    I wonder if when they took the kiosks offline they bumped up staff numbers to cope? I also wonder if they have drawn up a plan?
    I also wonder if this is the straw that gets the PM to the booths early. On so many fronts finally anyone can see this Govt. is woefully broken.
    Oh and suing, surely there is a contract WINZ have broken?
    Is this the death knell for corporatism? Has anyone considered how totally undemocratic it is?

    Since Dec 2006 • 2471 posts Report Reply

  • Matthew Poole,

    Breaking news, from Mr Boyle:.

    Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data’s recommendations on security.

    IOW, the testers found things and were ignored.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Matthew Poole, in reply to merc,

    I wonder if when they took the kiosks offline they bumped up staff numbers to cope?

    Herald article I saw yesterday said that wasn't going to be happening.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • merc, in reply to Matthew Poole,

    Herald article I saw yesterday said that wasn't going to be happening.

    Their basic duty of care is repulsive. It may be time for a charter, between us and Govt. Our democracy is broken, IMO.
    I blame the CEO model, squarely.

    Since Dec 2006 • 2471 posts Report Reply

  • Matthew Poole,

    And this, which is even more explicit that the testers found things and reported them, and there was a failure to follow through on what was reported.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Matthew Poole, in reply to merc,

    Their basic duty of care

    aha. haha. hahahahahahahahaha.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Martin Lindberg, in reply to Matthew Poole,

    And this, which is even more explicit that the testers found things and reported them, and there was a failure to follow through on what was reported.

    That seems more likely. I've engaged with Dimension Data (or rather, their subsidiary SecurityAssessment.com) a number of times and I really don't believe they would have missed a security-issue like this.

    Stockholm • Since Jul 2009 • 802 posts Report Reply

  • John Holley, in reply to Martin Lindberg,

    Especially as I think it was one of their staff who spoke at Defcon last year on hacking into kiosks!

    Auckland • Since Nov 2006 • 142 posts Report Reply

  • Russell Clarke, in reply to Katita,

    ... and where do those requirements come from? The business whose problem you are solving. Someone would have accessed and 'solved' the security considerations; maybe these items were given lower priority or put out of scope due to time or money ... again this would have been a business call.

    I cringe when I hear of people blaming the business for the requirements. As a technology consultant who does a lot of requirements work, I'm working with the business to add value, not just to scribe ill-thought out blue sky wish lists.

    Good business analysis consulting is about helping the business realise what they don't understand about technology, uncovering things they haven't considered, challenging their assumptions and highlight risks and issues, and persuading them to do things the right way.

    Such risks include security, or lack thereof.

    Perhaps the business did indeed treat this as a low priority, but I would expect any savvy technology partner to be raising their hands and shouting about this to the governance stakeholders, and saying it's not acceptable.

    Saying 'we were just following orders' is a cop-out.

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report Reply

  • merc, in reply to Matthew Poole,

    Their basic duty of care...

    aha. haha. hahahahahahahahaha.

    I am fairly sure they have a legal one. Otherwise we are screwed.

    Since Dec 2006 • 2471 posts Report Reply

  • Kumara Republic, in reply to merc,

    Their basic duty of care is repulsive. It may be time for a charter, between us and Govt. Our democracy is broken, IMO.
    I blame the CEO model, squarely.

    Are we seeing the mirror-flip of the British Winter of Discontent?

    The southernmost capital … • Since Nov 2006 • 5418 posts Report Reply

  • Matthew Poole, in reply to Russell Clarke,

    Perhaps the business did indeed treat this as a low priority, but I would expect any savvy technology partner to be raising their hands and shouting about this to the governance stakeholders, and saying it’s not acceptable.

    Saying ‘we were just following orders’ is a cop-out.

    In the current political environment regarding privacy of client information, are you at all doubtful that this could've been ignored by those at the governance level? Particularly if the report from S-A was jargon-heavy and could be dismissed as "someone's got an over-active imagination. None of our clients are that smart."

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • John Holley,

    I know everyone is pretty much focusing on the privacy breach - and it is huge. But the more I think about this the more I agree with Matthew Poole (good piece on RNZ btw).

    The bigger story here is the biggest security breach in NZ Govt history. Quite frankly we should be assuming that any of the information that was accessible from the kiosk (and Keith only took a small fraction), is 100% compromised and quite possibly in the hands of a foreign interests. (the security hole has been there for months)

    The cascade effect from WINZ->MSD->the rest of Govt e.g. CERA, DIA etc., is something we need to highlight. It might all come to nothing but, as Matthew said, we have to assume the entire WINZ network (and networks with trust relationships) could have been/was compromised.

    The mind boggles on the potential level of exposure we face.

    Auckland • Since Nov 2006 • 142 posts Report Reply

  • Sacha, in reply to Russell Clarke,

    Perhaps the business did indeed treat this as a low priority, but I would expect any savvy technology partner to be raising their hands and shouting about this to the governance stakeholders, and saying it's not acceptable.

    Saying 'we were just following orders' is a cop-out.

    It reflects the culture of this government perfectly - a testament to the professionalism of our public servants, ironically. This is where ignoring experts and the public in favour of faith-based 'decisiveness' takes us.

    Ak • Since May 2008 • 19686 posts Report Reply

  • Grant Buist,

    Attachment

    This one's for Keith:

    Wellington, NZ • Since May 2012 • 6 posts Report Reply

  • merc, in reply to Kumara Republic,

    Hehe, I doubt it, but I note that the legal responsibilities of Govt. are never discussed in context with systemic failures.
    It would appear we have no legal right of redress in such instances. Pretty glaring hole in our democracy wouldn't you say?

    Since Dec 2006 • 2471 posts Report Reply

First ←Older Page 1 14 15 16 17 18 26 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.