OnPoint by Keith Ng

Read Post

OnPoint: #WTFMSD: "Damning"

68 Responses

First ←Older Page 1 2 3 Newer→ Last

  • Matthew Poole, in reply to nzlemming,

    It’s more likely that the online records are backed up with the system data, rather than the reason for the backup of the system data

    Which is what I was trying to say. They have to backup anything vaguely classified as records, and they have to backup systems. Since logs will fall into one of those categories over a short term, and it's much easier to develop a backup retention policy to support the most anal requirements that apply to your situation, the logs will almost certainly be available for much longer than just however long they're left sitting on a hard drive. And that's regardless of whether the logs themselves fall under the ambit of the PRA.

    Auckland • Since Mar 2007 • 4097 posts Report

  • BenWilson, in reply to Sacha,

    rather different ethical/legal implications

    Yup, technically. Practically, no one would ever know. If you decided to let them know, you could tell them that you only kept MD5s of the data for proof of existence purposes. You could even do exactly that, if you were a stickler.

    Auckland • Since Nov 2006 • 10657 posts Report

  • Sacha, in reply to BenWilson,

    no one would ever know

    except oneself, grasshopper

    Ak • Since May 2008 • 19745 posts Report

  • Karen Adams, in reply to Matthew Poole,

    But they do not if you include all paperwork submitted by beneficiaries. Seems to me that would be vaguely classified as a record. They have policies about what they scan in so not everything is kept (and hard copies are not always kept either).

    Under your bed • Since Oct 2012 • 16 posts Report

  • BenWilson, in reply to Sacha,

    except oneself, grasshopper

    Sure, although from a personal ethical point of view, you'd know:
    1) The data was harmless
    2) You had already seen it
    3) You did not intend to use it, because of 1) and 2), for any other purpose than establishing whether incompetence was followed by cover up, which would actually be a good thing to know.

    ETA: It could also be a good thing for other people to know.

    Auckland • Since Nov 2006 • 10657 posts Report

  • FletcherB,

    Ben,

    What if "they" aren't as incompetent as you suspect, and they do indeed detect that you have more data than you admitted...

    Then you could be in a pile of legal doo-doo...

    West Auckland • Since Nov 2006 • 893 posts Report

  • Rich of Observationz, in reply to Russell Brown,

    There are a bunch of ways something could be escalated:
    - at an extreme, a bearded, scrofulous sysadmin (for it would be he) could have entered a senior managers office and screamed at the person until he took steps to rectify the problem
    - at another extreme, managers could have been extended a standing invite to daily stand-up meetings - and of course never attended
    - the traditional approach would have been to send a memo or email cc'd to everyone the sender can think of. This might well provide effective blame transference. But that's unfashionable nowadays.

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • BenWilson, in reply to FletcherB,

    What if "they" aren't as incompetent as you suspect, and they do indeed detect that you have more data than you admitted...

    The pile of legal doo-doo would be roughly the same as the pile involved in taking the documents that actually were sensitive, by the thousands. If they were going to come after you for anything, it would be that, not withholding non-sensitive information for the purposes of checking whether they cover incompetence with lies.

    If they do detect it, then they'd probably also detect that the documents are not important, and I'd think they'd probably just proudly tell you they detected them, in the hope that you report that there are limits to their incompetence, and that they are not liars. Rather than antagonizing you in a story that's already extremely embarrassing to them.

    Of course there always was a chance that they would just go for Keith, and he could have been completely ruined by this scoop.

    Perhaps a more "safe" way of doing what I'm saying would have been for Keith to simply have deleted a random number of files from his stick*, then given it to them, saying "Here's all of it, and I deleted a random number of files. Now, you tell me what that random number is. If you can't then it's clear that not only have you left this open, but you can't tell how much of the data has been accessed". Then they could either take up the challenge or not, and the scoop would have just that little bit more information on the extent of the breach. If they could provide that random number, then everyone could feel just that little bit happier that these files haven't been got at by whosoever felt like it for over a year.

    Hindsight - always 20/20.

    *ETA OK, just to be safe, better would be to copy a random number of them to another stick, then hard-format the old stick, then smash it to pieces with a hammer, and give them both the new stick and the crumbs of the old one. Just so that they can't somehow go through the stick OS and find the deleted entries.

    Auckland • Since Nov 2006 • 10657 posts Report

  • Sacha,

    Putting in place and overseeing project risk and escalation processes is not the job of those at the bottom. Poor governance is a big problem throughout NZ organisations.

    Ak • Since May 2008 • 19745 posts Report

  • Keith Ng, in reply to Matthew Poole,

    That looks pretty damned searchable to me, if one had a spot of inside info.

    Those file names were from the case files server logs. The case file server itself was inaccessible. Most of my grabs were from the invoice server, which was unsorted and unnamed.

    Auckland • Since Nov 2006 • 543 posts Report

  • Keith Ng, in reply to Rich of Observationz,

    the traditional approach would have been to send a memo or email cc'd to everyone the sender can think of. This might well provide effective blame transference. But that's unfashionable nowadays.

    Ass-covering CCing never goes out of fashion. In fact, I imagine lawyers for the four people under the gun are looking pretty goddamn hard for those emails right now.

    Auckland • Since Nov 2006 • 543 posts Report

  • Marc C,

    Welcome to "Ringfenced MSD" and "Ringfenced WINZ"!

    This is a hugely sick joke and scandal what is going on. So 4 junior staff members are to blame for it all, for supposed "sloppiness"? How many did warn them (MSD) over the last 2 years, and who was in charge? How above all did the problem start?

    This stinks, it stinks, it smells really bad, and it is scandalous. Brendan Boyle and Bennett, same as their top management, they are all just covering up, protecting their possies and salaries. The whole system was set up in a totally flawed manner, then a beneficiary advocate AND the company that was involved in setting up the system, and last not least Bailey and others all warned MSD, and nobody took note and any action?

    Of course it is bulls to say the data is only about 10 people. Then they also admitted the other day, it is better not to let the 1 thousand plus people know about them having been affected, as it would cause more harm than good.

    This is a bit like the old "Eastern Bloc" kind of mentality and processes being followed at MSD. Or is it the mega corporate approach, covering up a scandal? Shut off, close every communications, hold well timed, brief, highly censored media conferences, cover up and blame the underlings for it all.

    I have NO faith in this Ministry, the Minister, her lackey CEOs and how WINZ is run. Trouble is, this is causing a big embarrassment, right when Bennett and the government want to push trough highly controversial welfare reforms.

    They do not want that being affected and mud stick on their skirts and trousers.

    Dig deeper, dig up all the rot and crap from under there!

    Auckland • Since Oct 2012 • 437 posts Report

  • Marc C, in reply to John Holley,

    John - You are soo right! The same is happening at ACC. There was all this fuss about the privacy leaks, and Pullar going into a meeting with management to negotiate a settlement, while telling them she was sent sensitive info about so many hundreds or more other clients. Heads were rolling. But what else came out and was to some degree proved. They use hatchet doctors, getting paid hundreds of thousands a year, paid to travel all over NZ to do assessments and recommendations on difficult, complex clients that can cost ACC a lot.

    Those medicals and rehab professionals were exactly the ones that were known to be on the hard line, and to give ACC the reports and recommendations they wanted. Now has there been much debate about this? No, not the mainstream media did dig into this much, some editorial in the NZ Herald even warning to not go too far in criticising ACC's policies to contain costs.

    So all that has now gone under the radar again since September, and privacy, privacy, that is the usual topic.

    It stinks, for sure, and poor journalism (being the victim of restructuring, cost saving and focus on mainstream, commercial interests) has something to answer to all this.

    Auckland • Since Oct 2012 • 437 posts Report

  • Matthew Poole,

    In today's news:

    Computer terminals used for 13 years by job seekers at Work and Income offices had the same security flaw as the self-service kiosks at the centre of the major privacy breach at Winz.

    But they're still quite certain there's been no privacy breach.

    Auckland • Since Mar 2007 • 4097 posts Report

  • BenWilson, in reply to Matthew Poole,

    But they're still quite certain there's been no privacy breach.

    I thought they just had no evidence of it. It's on the public if they can't tell the difference between "No evidence of x" and "Evidence of no x". Ironically, since the term "conspiracy theory" came into existence, there's been a tendency to equate them.

    Auckland • Since Nov 2006 • 10657 posts Report

  • TracyMac, in reply to Keith Ng,

    Yup, I'm still keen on wielding the good-old carefully-selected cc when necessary. People don't grump at you if you don't default to the scattershot approach.

    As long as someone in your management chain or the organisation's Security group is included, you're covered. Especially in these days of email journalling and retention, which often means you don't need to keep it physically sitting in your inbox forever. (Although hanging onto that "problem" correspondence is never a bad idea.)

    Canberra, West Island • Since Nov 2006 • 701 posts Report

  • Sacha, in reply to Matthew Poole,

    But they're still quite certain there's been no privacy breach

    Bennett repeated that claim to Parliament in Question Time today when asked (in a Supplementary to Q5) about the comment on this thread by someone other than Keith or Ira about also having accessed the network through the kiosk flaw.

    Ak • Since May 2008 • 19745 posts Report

  • Tim Michie,

    Auckward • Since Nov 2006 • 614 posts Report

First ←Older Page 1 2 3 Newer→ Last

Post your response…

This topic is closed.