OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 4 5 6 7 8 26 Newer→ Last

  • Rebecca Denton, in reply to Russell Brown,

    It seems appropriate to declare this a scandal.

    Job well done, chaps.

    United Kingdom • Since Oct 2012 • 5 posts Report Reply

  • Sacha, in reply to stuartm,

    With greater information sharing across government agencies, it's quite a useful reminder of possible implications, surely?

    Ak • Since May 2008 • 19745 posts Report Reply

  • Craig Ranapia, in reply to Juha Saarinen,

    Oh yes you could… that’s what Keith shows. It wasn’t hard at all, and for Key to say otherwise is just silly.

    Could you do Deborah and I the courtesy of presuming 1) we can accurately access the limits of our own (in)competence, and, 2) that not everyone in the PAS community shares the knowledge and skill-sets of others around here who make a living off knowing shit about gadgets?

    I know the default setting around here is that Key is a mendacious fuck-wit who can’t lie straight in bed, but sorry… as I said, I don’t think he’s wrong on that but manages to totally miss the point. I don't want my personal information to be hard to get to; I want it to be impossible to access for anyone who doesn't have a clearly defined and limited legitimate interest in doing do.

    North Shore, Auckland • Since Nov 2006 • 12370 posts Report Reply

  • Joe Wylie, in reply to Sacha,

    Seems staff using MSD's network in their day-to-day job seem to have global access. Easily.

    Grossman's gone now, but her publicly expressed concern over this breach seems to make Keith's revelations all the more remarkable.

    flat earth • Since Jan 2007 • 4593 posts Report Reply

  • Sacha, in reply to Russell Brown,

    Kay Brereton of the Beneficiaries Advocacy Federation says she told MSD about the flaws in the kiosks a year ago

    Here she is on Radio NZ this morning (2 mins, listening options).

    Ak • Since May 2008 • 19745 posts Report Reply

  • jacqui scott,

    i have a secure file at winz should i be worried i have just spoken to an area manager who told me i had nothing to worry about please help me find out if he is right there is a serious reson i have a secure file

    napier • Since Oct 2012 • 2 posts Report Reply

  • Sacha, in reply to Craig Ranapia,

    Key is simply wrong. It *was* easy, as others have described.

    Please trust those here who do actually know what we're talking about - including experience teaching introductory Windows courses to people who have never used a computer before.

    That doesn't mean every member of the public could do what Keith did. You do need to know more to realise the implications - but that's why organisations spend some of their budgets hiring experts, managers and governors to oversee them.

    Ak • Since May 2008 • 19745 posts Report Reply

  • Sacha, in reply to jacqui scott,

    I suggest contact the Privacy Commissioner right away - http://privacy.org.nz/contact-us/

    Ak • Since May 2008 • 19745 posts Report Reply

  • Craig Ranapia, in reply to Sacha,

    Please trust those here who do actually know what we’re talking about –

    I do, but the patronising head pat was neither helpful nor called for. Please share expertise, but it really helps to keep in mind that what’s obvious or “easy” for you might not be for everyone in the room.

    North Shore, Auckland • Since Nov 2006 • 12370 posts Report Reply

  • Stephen Judd, in reply to Russell Brown,

    That's just a rumour I heard, albeit an all-too-plausible one. I would like someone to look into it though.

    Wellington • Since Nov 2006 • 3122 posts Report Reply

  • Keir Leslie, in reply to Sacha,

    Mind you, you know exactly who could (would) do what Keith did? Bored, inquisitive, mildly anti-social young men. Where might you find a bunch of them -- oh.

    Since Jul 2008 • 1452 posts Report Reply

  • BenWilson, in reply to Russell Brown,

    It seems appropriate to declare this a scandal.

    Totally. To ignore testers suggests that a due process was actually overridden, rather than the processes being neglectfully weak in the first place.

    Auckland • Since Nov 2006 • 10657 posts Report Reply

  • Juha Saarinen, in reply to Craig Ranapia,

    Well... both you and Deborah can turn on your computers, browse the web, post comments on Public Address, etc. That's actually the level of skill required so it is fair to say it was very easy. Think of it as the polar opposite to "secure", as in "totally open".

    Since Nov 2006 • 529 posts Report Reply

  • aim,

    Keith: If you have not done so already, my suggestion, is to get a good PR firm that understands IT on your side. Otherwise the machine will roll over you, as they will likely rely on the fact that the majority of joe public wont even know what this all means. To them, you might as will be speaking in a foriegn tongue. The machine will use that in their favour to ensure they hang you out to dry as the wrong doer and not the fact that their shared systems are seriously flawed!

    Wellington • Since Oct 2012 • 1 posts Report Reply

  • Craig Ranapia, in reply to James George,

    oberSturmbanfuhrer Bennett,

    James George: Stop it. Just stop it.

    North Shore, Auckland • Since Nov 2006 • 12370 posts Report Reply

  • Steve Barnes, in reply to Deborah,

    Computers are a bit like cars: most of us know how to use them, many of us know how to do minor things

    Thing is though that this is akin to looking in the glove box and finding the contents of everybody else's glove box (ok, so you have to invoke the spacial/time anomalies usually encountered in the Tardis but I'm sure you have a handbag and know about such things)
    What I don't understand id why they didn't just use Windows 7, an operating system that not only takes eons to search for files but when you eventually track them down you are not allowed access. Brilliant.

    Peria • Since Dec 2006 • 5521 posts Report Reply

  • Bevan Shortridge, in reply to Pete Sime,

    Keith mentions he could "map any unsecured computer on the network". Which seems (slightly) more than just going to File Open and navigating to network drives?

    So the drives/folders weren't just sitting there already mapped under File Open (which anyone could find)? They had to be mapped first (which is slightly more difficult, although not very if you went looking)? I'm slightly confused now.

    Auckland • Since Nov 2006 • 122 posts Report Reply

  • Heather Gaye, in reply to Craig Ranapia,

    I understand where you and Deborah are coming from, but I think you're getting confused by jargon, as opposed to what's actually required. This is something that someone could do accidentally. ( edit : ah, had another look, & I'm wrong about this - it'd be quite a stretch to do it accidentally.)

    Also, I believe there's an ongoing generational shift (no disrespect intended). I can guarantee that vast swathes of the school-leavers and university graduates that have gone through WINZ since the kiosks were installed will have been capable and inclined to do what Keith did. The most pertinent virtue is a little curiosity, sufficient to override any fear of doing anything wrong (whether that's technically or legally).

    Morningside • Since Nov 2006 • 533 posts Report Reply

  • BenWilson,

    Saying that you wouldn't know how to do Keith's hack is like saying you don't know that addition is commutative. You just don't know the words, but if I rephrased it as "you know that 1+2 is the same as 2+1, right?", you'd be getting a feel for the level of difficulty involved in accessing the data that Keith exposed.

    Auckland • Since Nov 2006 • 10657 posts Report Reply

  • Heather Gaye, in reply to Bevan Shortridge,

    So the drives/folders weren't just sitting there already mapped under File Open (which anyone could find)?

    I thought the same when I read that, but check his first screencap - long list of computers already visible to the network.

    Morningside • Since Nov 2006 • 533 posts Report Reply

  • Deborah, in reply to Sacha,

    Please trust me when I say I don’t know how to do this. Also, I use Macs, so Windows?

    Without being too outrageous about this, I’m pretty well educated, and reasonably able to pick things up if I care to pay attention to them. I just don’t care about computer systems and file systems and things like that. Even the word, “dialogue” , as in “Open File dialogue” loses me, because it’s not language I use. Nor is it anything in which I’m at all interested. I just want the damn computer to work, and I expect our IT people to sort stuff for me if it doesn’t.

    Even if I used whatever this “Open File dialogue” thing is, if I got a screen looking anything like the pictures that Keith has loaded in his column, I would go, “WTF is that?” and hit the button to go back a page. Because it is Greek (geek?) to me.

    So, yes, anyone with more interest in the inner workings of computers and files (and really, what exactly is a “file server”? – I genuinely don’t know, but also, I’m not sure that I actually need to know in order to be able to use my computer)…. anyway, anyone with more interest in the inner workings of computers would undoubtedly be able to read those screenshots in a way that I can’t, and chances are that there are a lot of people who are more interested than me in computers, so there were a lot of people who could go and take a wander through MSD’s files. But I’m not one of them.

    Really, please do me the courtesy of taking my word for it when I say that I really don’t understand the inner workings of computers. Nor do I wish to.

    New Lynn • Since Nov 2006 • 1447 posts Report Reply

  • Martin Lindberg, in reply to Bevan Shortridge,

    Keith mentions he could "map any unsecured computer on the network". Which seems (slightly) more than just going to File Open and navigating to network drives?

    I guess the point is that it could be done by anyone with slightly above average computer skills. How easy or difficult it is to obtain this access are all varying shades of fail.

    It should be impossible to do even for a skilled hacker.

    Stockholm • Since Jul 2009 • 802 posts Report Reply

  • jacqui scott,

    cant get hold of privacy commision answer phone typical i need to find out if my info was safe or has it been acessed help what do i do

    napier • Since Oct 2012 • 2 posts Report Reply

  • Terry Baucher,

    I'm intrigued by the fact that MSD use Veda to pursue those "clients" who owe it money. Leaving aside the appalling security issue, are we all happy that MSD is contracting out a core function of Government? SUch a move is tailor-made IMO for security failures at some stage.

    Devonport • Since Nov 2008 • 91 posts Report Reply

  • Glenn Pearce, in reply to Bevan Shortridge,

    +1 I was just typing more or less the same question

    Keith - did your tipoff come from someone with prior knowledge of the MSD IT infrastructure or just a jobseeker who stumbled across this ?

    Auckland • Since Feb 2007 • 504 posts Report Reply

First ←Older Page 1 4 5 6 7 8 26 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.