OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 22 23 24 25 26 Newer→ Last

  • Sacha,

    MSD release their first report into the breach - media release and link to full report here.

    Ak • Since May 2008 • 19745 posts Report Reply

  • Sacha,

    And more info sought under OIA by Keith.

    Mr Ng told NBR he has also fired off a series of Official Information Act (OIA) requests in a bid to learn how blogger Cameron Slater got information about the scandal so quickly, and who tipped off Herald journalist Claire Trevett about the identity of his source (Urewera 17 member Ira Bailey).

    To that end, he was sent OIAs to the MSD, the Prime Minister’s office and Social Development Minister Paula Bennett’s office asking for all correspondence each has had with Mr Slater, and Ms Trevett.

    ...

    Ak • Since May 2008 • 19745 posts Report Reply

  • Sacha,

    Keith has a new post about the review report.

    Ak • Since May 2008 • 19745 posts Report Reply

  • Ian Dalziel,

    Danger Will Robinson...
    Ill fated Novopay system leaky too...

    Sacred Heart deputy principal Alison Spencer, who is also an accountant, said she could access her own pay details, and add and validate her own leave.
    And although she could not change her salary, she could have added as much extra overtime as she wished, and so could executive officer Irene Newrick.
    Mrs Spencer was so shocked that she walked straight out of her office and told an auditor who happened to be at the school.
    "I just need to tell you what I have just done. I've just accessed my pay," she told the auditor, who replied: "I don't think I want to hear this."
    "There's no way I should have access to my pay, and Irene have access to her pay," Mrs Spencer said. "I can go in and do whatever I want to do, which is not good."

    (my emphasis - to show the head in the sand approach immediately adopted)

    ...but I guess our inability to design good computing systems may forestall this inevitable problem... - though we'll probably manage to do it by accident, mismanagement or oversight...

    Christchurch • Since Dec 2006 • 7953 posts Report Reply

  • Kyle Matthews,

    “I just need to tell you what I have just done. I’ve just accessed my pay,” she told the auditor, who replied: “I don’t think I want to hear this.”

    I say that about three times a day. Typically followed by a pause and then figuring out what the problem is.

    Since Nov 2006 • 6243 posts Report Reply

  • Ian Dalziel, in reply to Kyle Matthews,

    I say that about three times a day.

    But do your bosses then go on to say it never happened?

    Christchurch • Since Dec 2006 • 7953 posts Report Reply

  • Sacha, in reply to Ian Dalziel,

    my emphasis - to show the head in the sand approach immediately adopted

    I read it as humour. Ministry response, not so much.

    Seen several stories now about access permission problems with the system, but not clear if that's technology failure or the human systems around it. Both covered by contract, surely.

    Ak • Since May 2008 • 19745 posts Report Reply

  • Kyle Matthews,

    But do your bosses then go on to say it never happened?

    Well that depends! But "I don't want to know!" isn't the head in the sand bit, that's just dealing with shit happening.

    Since Nov 2006 • 6243 posts Report Reply

  • Karen Adams,

    Yeah, the response from the ministry is as comical as the rest of this saga. I wish I could bet on Novopay outcomes somewhere so I could make some easy money. Of course tonight's pay isn't going to go well! Their saving grace is the Hobbit opening which get's Campbell off their ass for another night.

    It occurred to me a few weeks ago that the system might be a scam target. I can picture someone posing from MoE coming into a school office with overworked and stressed, saying they were there to help. God only knows what damage such a person could get up to if left in the room.

    And has anyone else noticed that they have kept quoting the same 8000 errors figure for the last few weeks even though the Principal's association has said that there are STILL new problems arising (interview was on Breakfast yesterday)?

    Under your bed • Since Oct 2012 • 16 posts Report Reply

  • Matthew Poole,

    The bit that stunned me about Novopay was the Hamilton (IIRC) school that got to see pay details for another school after the administrator put in the wrong code. That's a fundamental user authentication failure, compounded by a data segregation failure it would appear. The wrong code should respond that the user isn't authenticated, it should never be sufficient for a single PIN to be the entirety of the protection of payroll data.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Ian Dalziel,

    One of the things that seemed strange to me, was their non-reason for not trialling Novopay© in just one region - something along the lines of some teachers work at more than one school...

    found it:

    "Trialling it in some schools would have been practically impossible, because of the fact so many teachers work in a multiple number of schools and move during the year between one school and another."
    "Trialling it in a particular areas means that you'd have people on two systems simultaneously and it was just not possible."

    - but those schools would still be in the same geographic region wouldn't they? And they'd have to have a plan for people leaving the system at any time anyway, or is there a whole class of city-hopping teachers we don't hear about?

    Christchurch • Since Dec 2006 • 7953 posts Report Reply

  • Sacha, in reply to Ian Dalziel,

    Some teachers move between regions, but it's a nonsensical argument against a regional trial, yes.

    Ak • Since May 2008 • 19745 posts Report Reply

  • Sacha,

    Associate Education Minister Craig Foss seems to have been learning slipperiness from Parata if yesterday's Parliamentary Question about Novopay responsibility is anything to go by. Note the farce of Foss answering on behalf about Parata's confidence in him.

    Ak • Since May 2008 • 19745 posts Report Reply

  • Matthew Poole,

    Now we find out that there was a critical flaw in the kiosk implementation that, despite having been fixed, was so serious that to even reveal what it was could compromise the security of the MSD network in future.

    #WTFMSD indeed.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Steve Barnes,

    Digging into Novopay

    After a little research, looking at Wikipedia, I came up with some interesting facts...
    The Ministry of Education's payroll used to be run by Datacom, partly owned partly by NZ Post (35%) until that shareholding was sold to the New Zealand Superannuation Fund for $142m in December 2012, less than 6 months after NZ Post incorporated a new payroll scheme designed by Talent 2, the creators of the infamous Novopay system.

    "Datacom lost the contract to Talent 2, the creators of Novopay in a competitive tender in 2007(1). Datacom’s chief executive, Greg Davidson, claims the company had a reputation for the “accurate delivery of pay to teachers" and says “we’re proud of our extended track record of delivering the payroll with minimal fuss and error for the duration of our watch."

    NZ Post experienced problems similar to those being faced by the Education Ministry.
    One has to ask why a New Zealand owned and operated, proven, system was ditched by this Government in favour of a small Australian owned Public Relations company prone to failure.

    “Novopay is one of the largest payroll systems in Australasia covering approximately 110,000 people and 15 separate collective agreements. After meeting with the key parties involved over the past week, it is clear the issues it has are complex, that there is no quick fix, and problems will continue for some time,”
    Steven Joyce

    Perhaps this is why?

    Is the Government RFP process broken?
    by Software vendor CEO

    In last week's Newsline Juha Saarinen discussed an article from TradeMe's Mike O'Donnell about the RFP process. We were contacted by a number of New Zealand vendors with similar concerns. This commentary outlines in detail some of the problems from the perspective of a CEO of a medium-sized company with a history of dealing with Government. For obvious reasons the author has chosen to remain anonymous.

    (1)
    Datacom were told the loss of the contract centred on Talent 2 offering “a more proven system”
    http://www.listener.co.nz/commentary/the-internaut/leaked-email-novopay-forerunner-laments-having-our-good-record-tarnished/.

    Tui ad anyone?.

    And the last word goes to Greg Davidson at Datacom
    eMail to staff at Christmas

    Peria • Since Dec 2006 • 5521 posts Report Reply

  • Tim Michie,

    Please forgive if you're already read but in case not http://norightturn.blogspot.co.nz/2012/11/unseemly.html...

    Auckward • Since Nov 2006 • 614 posts Report Reply

  • Steve Barnes,

    Thanks Tim, the stink pile gets deeper but I am not going to be the guy who puts his head on the block, that position belongs to those that claim the responsibility for such a wonderful example of government incompetence, or as they call it.... progress.

    Peria • Since Dec 2006 • 5521 posts Report Reply

  • Steve Barnes,

    What is wrong with this statement?.

    He warned schools to brace themselves for what would be the toughest test on the system yet because of the changes to secondary teachers' pay rates as a result of the new secondary teachers collective agreement.

    Surely if the agreement is collective all you should have to do is change the value of a pay-scale code? surely?
    If not then the system will never work.

    Peria • Since Dec 2006 • 5521 posts Report Reply

  • Ian Dalziel,

    Attachment

    Have they fixed the MSD systems yet?
    While looking for some information on gov’t sites about bullying (to comment more constructively on Aaron Gilmore’s hazily recalled behaviour in Hanmer) I was directed to an MSD site but got this warning (see above)… ???

    <added> I see other gov't sites had problems yesterday too...

    The Gilmore ‘event’ just keeps on giving, but I am appalled that The Press has pulled all comments from the updating story, with no explanation offered, when they constantly rail against lack of openess and transparency – double standards, much!

    I shall be writing to Mr Key and Mr Gilmore to encourage them to ignore all calls for Mr Gilmore to resign, as we need politicians of their low calibre to ensure National is roundly and soundly defeated next election…

    Christchurch • Since Dec 2006 • 7953 posts Report Reply

  • Rich of Observationz, in reply to Ian Dalziel,

    That error means that either the sites SSL certificate is invalid, or someone is man-in-the-middling your SSL traffic.

    The MSD SSL cert looks good today and was renewed on 27th Feb. So somebody is clearly trying to spy on you!

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • Ian Dalziel, in reply to Rich of Observationz,

    So somebody is clearly trying to spy on you!

    Seriously?

    Anything else I can do to check that, or better, stop it?

    Christchurch • Since Dec 2006 • 7953 posts Report Reply

  • Rich of Observationz, in reply to Ian Dalziel,

    Well, it may be that they had a temporary cert problem, but I went to https://www.msd.govt.nz just now and the certs fine.

    Check if you have a proxy server. Proxies should pass through SSL, if they don't then it's a configuration problem (or a cackhanded attempt to pry).

    The MSD IP should be something like 202.27.58.107. If ping www.msd.govt.nz doesn't show this, then your DNS is suspect.

    I was looking for a way in Chrome to see what IP a page is getting served from, but nothing obvious. There are tools that will do this, but we're getting a bit deep here.

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • Ian Dalziel, in reply to Rich of Observationz,

    Ta for that, R of O
    I'll look into it a tad more...

    Christchurch • Since Dec 2006 • 7953 posts Report Reply

  • Dave Patrick,

    I'm not sure why that page is being served up across https when Ian tried to access it - when I access it, it's a straight http page, not a secure page.... and when I access it via https, the certificate is fine

    Rangiora, Te Wai Pounamu • Since Nov 2006 • 261 posts Report Reply

  • Rich of Observationz,

    I think it defaults to what you ask for, e.g. the site is available on http or https.

    An increasing number of sites (like this one) are going https-only, because it's easier in many ways (and it makes more work for government spy agencies if everything on the net is encrypted).

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

First ←Older Page 1 22 23 24 25 26 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.