OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 6 7 8 9 10 26 Newer→ Last

  • Jimmy Southgate, in reply to Mikaere Curtis,

    You'd need to have understanding of the directory structures that are shown to you, and be able to guess which ones had the data you were interested in.

    I read it a little differently. Say you have plenty of time on your hands, a reasonable reason for being in the WINZ office, using the kiosks relatively frequently, and an inquisitive mind.

    From what I've understood from the screenshots & various comments around here, that'd probably be all you needed. Eventually you'd open something interesting.

    Wellingtown • Since Nov 2006 • 103 posts Report

  • Kumara Republic, in reply to Russell Brown,

    It seems appropriate to declare this a scandal.

    How big a scandal, maybe on par with the Anonymous exposé of HB Gary?

    The southernmost capital … • Since Nov 2006 • 5446 posts Report

  • David Hood,

    As someone whose job is mainly to teach computer courses to people, while a lot of people have had experience with the File menu -> Open command, a lot of people have no experience using computers to open files from other computers on the same network. If your experience is with a computer at home "My Network Places" will generally be a useless button. Equally, if you are using computers in an environment where the files are stored on a central computer, this is normally set up to behave the same way as a home machine. This one added step of opening up a file from another computer is what I think some people are finding a baffling and alien concept, and it is something that could probably do with being spelled out a little clearer in explanations of how easy it was.

    Dunedin • Since May 2007 • 1445 posts Report

  • Sacha, in reply to James George,

    not knowing how to navigate a local area network

    can involve stuff as simple as the way we describe that, as others have pointed out.

    Ak • Since May 2008 • 19745 posts Report

  • Heather Gaye, in reply to Lyndon Hood,

    I'm guessing WINZ would happily send someone on a course to develop the skills it takes.

    Actually, one of my friends has been on a WINZ-associated "business & computer skills" course, and among the skills they've covered is making scones (so they can please their husbands and impress visitors - this is actually what the tutor said). She's pretty annoyed.

    Morningside • Since Nov 2006 • 533 posts Report

  • duke, in reply to BenWilson,

    Totally. To ignore testers suggests that a due process was actually overridden, rather than the processes being neglectfully weak in the first place.

    Par for the course in the Natz delivered climate of fear subsuming our public service thanks to their foolish, crippling budget cuts. DOC is being well and truly violated; while much if our windefrul and unique biodiversity is in free fall decline.

    Trickle down does exist; but only for poisinous shit policies.

    Since Jul 2009 • 24 posts Report

  • Lucy Bailey,

    Seeing as the Chief Executive of MSD came straight from his post as Government Chief Information Officer (CIO) where he was 'responsible for developing and implementing the Government’s Information and Communications Technology (ICT) Strategy and for providing strategic advice on ICT matters' and he seems to be responsible for the whole of the current online approach to government, and was behind the implemention of the kiosks at WINZ - surely he should lose his job? http://www.ssc.govt.nz/appt-ce-msd-aug11

    Since Oct 2012 • 6 posts Report

  • Sacha, in reply to David Hood,

    This one added step of opening up a file from another computer is what I think some people are finding a baffling and alien concept, and it is something that could probably do with being spelled out a little clearer in explanations of how easy it was.

    Can someone whip up or link us to screenshots or a clip?

    Ak • Since May 2008 • 19745 posts Report

  • James George,

    The bigger issue here is people such as Jacqui who have legitimate concerns about whether or not their details have been discovered by peeps that they need to keep such things private from.
    The odds are great that Jacqui and co are safe. Only because the sheet sniffers and the sleazy debt collecting agencies and sordid 'private' detectives who employ them would never have conceived that the data they have been paying so much for was so easily obtainable.
    Nevertheless Jacqui along with many others is rightly concerned about the confidentiality of her information. The issue is as much about whether the client believes they are secure as whether or not the data was compromised. So it behoves the MSD to pay whatever it costs for relocation of these clients, or whatever else is required to keep them feeling safe.

    Since Sep 2007 • 96 posts Report

  • Mahal, in reply to Sacha,

    This outlines the basic process. Note, it's not quite what Keith will have done - he started with File->Open in Word, instead of opening an Explorer window - but the process is the same thereafter. It's something you can do in any office that uses a Windows network (depending on the security your IT department puts in place). I couldn't find screenshots with a quick google, but it'd be easy enough to whip up.
    On a Mac it's even simpler; open a Finder window, look under Shared in the sidebar at the left.
    (For context, I work in tech support, as a fledgling admin - frankly even my skillbase is sufficient to avoid this sort of fustercluck.)

    Auckland • Since Apr 2007 • 31 posts Report

  • Craig Ranapia, in reply to Mikaere Curtis,

    This doesn’t make John Key’s statements true, however. It would have been easy for someone interested in accessing the private data.

    Well, yes… thought I’d made that distinction clearly but apparently not.

    …. who have children hidden from them in CYFS care, and have just been given enough information to find them.

    And that’s the one thing that makes me really fucking cross. Just getting out of an abusive relationship is hard enough when you've been programmed into believing if you leave nobody and NOTHING will ever keep you safe. So, totes awesome MSD – how many people already trying to drag themselves out of HELL have had what little confidence and trust they possess smashed because you fucks couldn’t be arsed doing your jobs?

    North Shore, Auckland • Since Nov 2006 • 12370 posts Report

  • cognitive_hazard,

    If MSD was unable to secure the data what are the chances there is any audit trail of who has accessed the data? Call me cynical but I'd say nil (sorry Jacqui)

    New Zealand • Since Oct 2012 • 13 posts Report

  • Steve Barnes, in reply to Mikaere Curtis,

    Attachment

    That’s a world a way from Clippy chiming in with “You look like you are downloading secret documents, would you like some help with that ?”

    You mean they disabled "Clippy"?. Now that's some tight security. I wonder how the staff managed to use the system without that wonderful little chap?.

    Peria • Since Dec 2006 • 5521 posts Report

  • Emma Hart, in reply to Hamish,

    Also, hearing that the files were writeable (editable).

    Really? Jesus.

    Christchurch • Since Nov 2006 • 4651 posts Report

  • Jonathan King,

    To extend (flog?) the car metaphor -- this wasn't change-the-oil difficult it was reverse-into-a-car-park difficult.

    Since Sep 2010 • 185 posts Report

  • Jonathan King, in reply to Emma Hart,

    Also, hearing that the files were writeable (editable).

    Holy. Shit.

    Since Sep 2010 • 185 posts Report

  • Hamish,

    Well, hopefully Keith can verify that claim, but if so...

    The A.K. • Since Nov 2006 • 155 posts Report

  • Joe Wylie, in reply to Steve Barnes,

    You mean they disabled "Clippy"?

    Wasn't he justifiably beaten to death years ago?

    flat earth • Since Jan 2007 • 4593 posts Report

  • Hebe, in reply to Craig Ranapia,

    Funny that’s your go-to response, rather than sacking the people who as far as I understand have had a heads-up on this before and did sweet Fanny Adams.

    Craig, I understand this is a hideous start to the week for you, and I wouldn't contribute to PA if I wasn't thought-provoked and disagreed with. How about about we call a truce and discuss rather than snark? (My tongue can be nasty but I try nowadays to play nicely)

    My view is that MSD's Minister claims credit for successes and responsibility for policy "initiatives" such as the self-service kiosks, so the inverse of taking responsibility for an appalling failure is also the case. Inevitably ducks will be shoved, and the decision-makers will be Key and Joyce. They will push Paula Bennett if it is required to keep National in government: this one is a 'whatever it takes' scandal. The bad management and governance may also track back to Labour's terms of office.

    As for technical competence required to access this information: I am very, very basic when it comes to computer operation, and I would have found those files simple to enter and save on a stick.

    @Keith: Were National Super-related files wide open too?

    Christchurch • Since May 2011 • 2899 posts Report

  • Steve Barnes, in reply to Jonathan King,

    Also, hearing that the files were writeable (editable).

    That would mean deletable too but they would have backups... wouldn't they?
    ooops!

    Peria • Since Dec 2006 • 5521 posts Report

  • Che Tibby, in reply to Deborah,

    Please trust me when I say I don’t know how to do this

    frankly, joe public not having the specific skills is totally irrelevant.

    the fact is that people with skills can and probably do have a very very large MSD dataset somewhere that is not inside government.

    the back of an envelope • Since Nov 2006 • 2042 posts Report

  • Tom Beard, in reply to Jonathan King,

    To extend (flog?) the car metaphor -- this wasn't change-the-oil difficult it was reverse-into-a-car-park difficult.

    Or hearing that someone's out to get you, and could walk into your garage at any time, and responding "Someone said that meant they could disable my brakes. I only care about driving, not about the mechanics, but I suppose someone who knows about cars could do that".

    It sounds trivial to focus on the technical details when people's privacy and perhaps safety is at stake, but the ease of doing this affects the likelihood that any given person with malicious intent could take advantage of it. If it required specialised tools and skills that only a handful of obscure hackers would have, then of course that's a worry. But if it only requires skills that are available to hundreds of thousands of people, then the chance of someone with a grudge exploiting it are vastly increased. The statements of John Key, and of some people in the media who seem to take a blithe pride in their technical ignorance, act to downplay the seriousness of this breach.

    Wellington • Since Nov 2006 • 1040 posts Report

  • rodgerd, in reply to Rich of Observationz,

    To amplify Rich's point about government pay scales: I applied for a job in 2008 with a government department that do actually take IT very seriously, and are well-funded, and they were paying about 20% below market rates for the position. I have no idea what the landscape looks like in departments that don't take it as seriously and after several years of austerity treatment for staff, but I'm guessing something about peanuts and monkeys applies.

    Wellington • Since Nov 2006 • 512 posts Report

  • Rich of Observationz,

    A large number of people, possibly a majority, don't understand folders/directories at all. They save in the default folder each app presents, and get confused and call an expert if this changes (and mail attachments in Outlook totally screw them).

    That's why Google have de-emphasized the folder concept in most of their things, preferring to rely on categories, binding data to an application and search.

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • TracyMac, in reply to cognitive_hazard,

    Since "successful file access" auditing isn't enabled by default on Windows boxes, I'd say it's extremely likely there is no record of what accounts have accessed which files.

    I'm still appalled that these kiosks weren't set up as "kiosk-style" machines, of which there are copious examples around the place, with accounts that are basically "guest" accounts (assuming they need to be in the Windows security domain for other reasons). To compound that with editable file permissions is unbelievable, since a user with access to a share has "read" access by default. Of course, users can be members of groups with greater access, but they have to be put into those groups.

    So either someone didn't configure the account(s) properly (which frankly, is the "easy" solution), and they or the person who developed the faulty process should be fired, or a whole bunch of people up the chain signed off on this security breach. And yes, as a lowly techie, I would have kept the arse-covering material that said "do it like this" with authorisations.

    As for the ease of how to do this, and to continue the car analogy, the relative skill would be like someone who's comfortable with doing an oil change and oil filter replacement. Basically, not very difficult for someone with slightly extended knowledge of computers on enterprise networks. Possibly even less, because someone could inadvertently bring up that dialogue in Word and start clicking around from curiosity.

    I also disagree with the point that someone would have to know what they were looking for to get any use out of this. Copying all those sensitive files to a USB and uploading to Wikileaks or a similar organisation would have been trivial. Or poking around and making edits to files just for "fun".

    Canberra, West Island • Since Nov 2006 • 701 posts Report

First ←Older Page 1 6 7 8 9 10 26 Newer→ Last

Post your response…

This topic is closed.