Posts by izogi
Last ←Newer Page 1 2 3 4 5 Older→ First
-
OnPoint: H4x0rs and You, in reply to martinb,
I guess the terrifying question is if our government departments are so poor on information security and weak on network security
I couldn't say for certain, but I feel bad right now for some of the government IT and IS people I know who are really smart and careful at what they do with regard to information and network security, but (just so we can be convinced situations like those at MSD and ACC aren't widespread) will now have to put up with more expensive government-wide investigations and audits and people making more demands that pull them away from their primary work they'd rather be keeping up with. I guess that's the way stuff works when part of the government really screws up. Given what's happened, it's better to go through that process than not.
-
OnPoint: H4x0rs and You, in reply to Rich of Observationz,
Economics stories are rubbish, science stories are rubbish. Possibly the sport stories are accurate and informed, I wouldn't know.
Maybe it's old news in this circle but I remember a Radio NZ Mediawatch discussion several years ago, probably re-incarnated in other discussions since then, regarding the modern changes in how journos are often recruited. As in, media outlets in the early days tended to hire people who were experts in a field or two, and then taught them journalism. Today, however, it's more common for someone to do a journalism degree straight out of school, then walk directly into a media job whilst still having very little experience of anything else in the world around them. From those here with media backgrounds, did I understand this correctly, or is there more to it than that?
-
Hard News: Special Sources, in reply to Russell Brown,
But if you're given the name, you have to justify not printing it.
True, but I'm still convinced that if Ira had gone to a bigger outlet from the beginning, it'd be much less likely we'd have learned his name. Would it not be easy to justify not printing it for Ira's own privacy? I really can't see justified public interest in knowing Ira's name. His only relevance has been to be one of at least tens of thousands of people in New Zealand with sufficient IT skills who could have easily stumbled on this issue, and then he was the first to usefully tell someone about it in a way that caused MSD to take it seriously. The only remotely interesting thing about his involvement is his initial contact with MSD, but that's been blown out of proportion and used for irrelevant smears and diversions, along with him having been one of the un-prosecuted Urewera 17 (nothing to do with MSD's security leak).
On the flip-side knowing who leaked his name would be completely in the public interest due to the government's breach of a person's privacy for the purposes of diverting attention from a story on how MSD had a big security leak for more than a year, knew about it, and had a completely ineffective process for dealing with it.
-
Hard News: Special Sources, in reply to Craig Ranapia,
But either way, I still think it's a matter of legitimate public interest to know where this came from, because I'm personally not cool with politically motivated smears being waved off with "we don't disclose our sources.
To me this seems like the bigger media outlets getting back at a blogger because he beat them to breaking a major story. If the issue had been leaked direct to the Herald or Fairfax (as if the usual journo's there would have the geeky competence to investigate as Keith did), the original source might never have been released short of a totally open Ministerial or MSD press release.
-
Hard News: Special Sources, in reply to Craig Ranapia,
But I could also note that if Claire Trevett's source was from within the MSD (and I've no evidence either way) then, The Herald knowingly published a pork pie from Brendan Boyle.
I don't see how he could possibly know for certain. Chances are there were many employees who knew about this, given how word gets around. Especially when people feel threatened, and an impression of being blackmailed would be normal if the circulating gossip is selective. Out of that, who's going to honestly own up to leaking a name given the likely consequences?
The LinkedIn thing is suspicious combined with the Minister's track record, but it doesn't prove anything except that the Minister knew the name. Searching the web is one of the first things most sane people would do if informed of something like this. The LinkedIn profile is near the top of Google's results.
-
OnPoint: MSD's Leaky Servers, in reply to Tom Beard,
The CEO's just said on live TV that they can't guarantee that other people haven't accessed the same info Keith did.
If the kiosks have been sitting there like that in public for a year or more, it'd be incredible if other people hadn't accessed the same info. It'd just be luck if it hasn't been bulk-copied or otherwise used maliciously.
-
OnPoint: MSD's Leaky Servers, in reply to cognitive_hazard,
If this happened at any private enterprise heads would roll top to bottom, why should Govt be any different.
Are you sure?
I hear this line from time to time, but then I see private sector businesses seemingly acting with indistinguishable incompetence from some government organisations, just as I've seen government entities that have awesome competence and organisation skills. (We rarely hear about them for good reason.) I'm not convinced this has much to do with differences between the public and private sector.
-
OnPoint: MSD's Leaky Servers, in reply to TracyMac,
Basically, not very difficult for someone with slightly extended knowledge of computers on enterprise networks. Possibly even less, because someone could inadvertently bring up that dialogue in Word and start clicking around from curiosity.
I totally agree. I know countless people, IT-background and not, who'd be able to pull this off easily, and many of whom would stumble on it accidentally because they like poking things, especially when a locked-down machine also prevents them from doing something they consider trivial and completely normal. (When computers give you 10 ways to do something, it's natural for some to try method B when method A doesn't work.)
The discussion here about some people's technical ability to figure this out is beside the point. It's the people who can do it who should worry everyone, and whatever one's ability to understand Keith's descriptions, it's definitely not tricky or obscure stuff. Most people wouldn't abuse it, but it only takes one, and there are some really basic chain screwups here on WINZ's part which have allowed it. (Firewall in the wrong place, account permissions, lack of effective testing, failure to respond to reports a year ago of the problems, etc etc.)
-
OnPoint: MSD's Leaky Servers, in reply to Sacha,
Any IT manager right up to the new CIO should have spotted this stuff and fixed it.
That's true, although more to the point when I worked at a small/mid-sized government department up to a couple of years ago, our IT team employed a person who's specific responsibility was to keep track of the IT security implications of virtually everything the department did, be up-to-date with everything relevant, stay in touch with the spooks regarding things like espionage risks and relevant system auditing, and essentially make sure nothing stupid happened whether it be with something we developed ourselves, or auditing the work done by contractors. One of the tougher bits is trying to keep track of different sections of the organisation that've decided to spin off and implement something themselves before you've heard of it, but it's impossible to imagine that could occur here when there are kiosks apparently sitting inside the firewall.
Right now I'm quite flabbergasted that orgs like WINZ and ACC obviously either aren't employing enough people capable of doing this and given a mandate for it, or they're not giving them enough resources, access and control over what's going on to do their job properly.
-
The spokesbird has been positively raving in the last little while about Mr Morrison's attitude to commercialisation in conservation.