Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Buying anything on Amazon? Please use the Geekzone Amazon aff link.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
BDFL
50364 posts

Uber Geek
+1 received by user: 4865

Administrator
Trusted
Geekzone
Subscriber

  Reply # 702059 16-Oct-2012 13:58 Send private message

Perhaps because neither have experience of knowledge of how security vulnerabilities should be reported to the interested parties, since they are not in the security scene?




Awesome
4078 posts

Uber Geek
+1 received by user: 643

Trusted
Subscriber

  Reply # 702062 16-Oct-2012 14:00 Send private message

Kyanar: Immediate disclosure on a high traffic blog without warning is NOT responsible, ethical, or professional.  And before you ask, no I'm not defending MSD either.  I'm probably the most likely person you'll meet to criticize every move they make (more so under a National government), but that doesn't excuse the fact that neither Bailey nor Ng acted with any sense of ethics or professionalism in this case.


How is it not responsible, ethical or professional?




Twitter: ajobbins

2533 posts

Uber Geek
+1 received by user: 252

Trusted
Subscriber

  Reply # 702063 16-Oct-2012 14:01 Send private message

freitasm: Perhaps because neither have experience of knowledge of how security vulnerabilities should be reported to the interested parties, since they are not in the security scene?


Ng put Bailey in touch with an "experienced hacker", so he has access to someone who is, and therefore should have known better.




I finally have fibre!  Had to leave the country to get it though.


BDFL
50364 posts

Uber Geek
+1 received by user: 4865

Administrator
Trusted
Geekzone
Subscriber

  Reply # 702065 16-Oct-2012 14:02 Send private message

Good point.




2533 posts

Uber Geek
+1 received by user: 252

Trusted
Subscriber

  Reply # 702067 16-Oct-2012 14:04 Send private message

ajobbins:

How is it not responsible, ethical or professional?


Are you really asking that?  It's obvious - there's a vulnerability with a pretty high chance of being of a severe nature, and rather than disclosing it to the affected party with a deadline for public disclosure, they disclosed it to them at the same time as disclosing it to the general public - malicious individuals included. Great way to get hits to your site, but it's a serious breach of ethics.  It's also highly unprofessional and incredibly irresponsible.

gzt

4751 posts

Uber Geek
+1 received by user: 278


  Reply # 702070 16-Oct-2012 14:12 Send private message

Kyanar: Immediate disclosure on a high traffic blog without warning is NOT responsible, ethical, or professional.

To cut a long story short and removing conditionals - I completely agree.

But even so - you are confusing the long history of ethics in professional journalism with Responsible Disclosure.

Awesome
4078 posts

Uber Geek
+1 received by user: 643

Trusted
Subscriber

  Reply # 702072 16-Oct-2012 14:15 Send private message

Kyanar: Are you really asking that?  It's obvious - there's a vulnerability with a pretty high chance of being of a severe nature, and rather than disclosing it to the affected party with a deadline for public disclosure, they disclosed it to them at the same time as disclosing it to the general public - malicious individuals included. Great way to get hits to your site, but it's a serious breach of ethics.  It's also highly unprofessional and incredibly irresponsible.


You keep saying it's 'a breach of ethics', 'highly unprofessional', 'irresponsible' etc, but you don't actually quantify why.

They disclosed it at a time when the public couldn't access the kiosks - mitigating any risk that disclosure would cause people to use the exploit, they consulted with a lawyer and the privacy commissioner before releasing the information and have been fully co-operative ever since.

It's pretty clear to me that MSD were not going to take this issue with the seriousness this deserves until it was in the public domain.

If full disclosure was made to MSD prior to release, what I suspect would have happened would be they would have gone straight to a judge for a a gag order - and the journalist involved probably knows this.




Twitter: ajobbins

Awesome
4078 posts

Uber Geek
+1 received by user: 643

Trusted
Subscriber

  Reply # 702074 16-Oct-2012 14:21 Send private message

gzt: But even so - you are confusing the long history of ethics in professional journalism with Responsible Disclosure.


The biggest issue with Responsible Disclosure, and the reason I don't think it is an appropriate response in this instance, is that it exists to allow time for the problem to be fixed, without putting the details into the public domain (Where the exploit could then be used).

In this instance the data available was so incredibly sensitive that the ONLY response was to immediately and shut the kiosks down.

Adding a time delay should not have changed the response to this incident. Effectively, the time needed for them response is zero. Someone making the order 'shut them down', so a time delay for would just be for the sake of a time delay.




Twitter: ajobbins

gzt

4751 posts

Uber Geek
+1 received by user: 278


  Reply # 702075 16-Oct-2012 14:24 Send private message

By the way - I'm still not sure of all the circumstances of publication.

I have read that Ng published the story on his blog at 10pm at night. Fron what I have read these kiosks are not available to the public until Winz opens.

Ng may have considered this period adequate notice of the issue and adequate time to take these kiosks offline.

Additionally - publishing at 10pm would have been enough time to get the story in the national morning papers as well. I'm curious to hear if that happened.

BDFL
50364 posts

Uber Geek
+1 received by user: 4865

Administrator
Trusted
Geekzone
Subscriber

  Reply # 702168 16-Oct-2012 17:18 Send private message

Quite true:


"That such sensitive data was available is incredibly serious, but in my opinion the more-serious implication is that - based on what Keith could do - I believe the entire WINZ network should be treated as compromised.

What do I mean by 'fully compromised'? I mean that every server and workstation should be considered to be accessible and controllable by people who are not employees of the WINZ/MSD system administration team.

And what does that all mean? It means that every backup, all the way to when the kiosks were installed is an unknown quantity. Recovering from this isn't just a matter of fishing out the last backup tapes and reinstalling the computers.

It means reinstalling all the computers."





gjm

678 posts

Ultimate Geek
+1 received by user: 73


  Reply # 702190 16-Oct-2012 17:47 Send private message

surely all this talk of responsible disclosure is a moot point if they already knew about the issues (if that is indeed what the DiData audit found). They have had a year and a half to fix this stuff!




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

185 posts

Master Geek
+1 received by user: 8


  Reply # 702709 17-Oct-2012 22:55 Send private message

"We have no reason to believe other people have separately accessed private information through our kiosks.

If however anyone has done so, I would strongly urge them to do the right thing and hand it over."

From here http://www.msd.govt.nz/about-msd-and-our-work/newsroom/media-releases/2012/kiosk-security-breach.html

So in other words... We don't know, but please give us our data back....

This is so incredibly bad that it just defies words. And the fact they knew about it for months and months and did nothing is just staggering.

370 posts

Ultimate Geek
+1 received by user: 8


  Reply # 702932 18-Oct-2012 13:50 Send private message

The blogger did the right thing. Get the files and hand them over to MSD to say 'look, you have a problem'. He made them aware of it, and the public. I don't think any legal action should be taken against him. He had legitimite access to the files, and if they happened to be there, he could only assume that he was allowed to view them. Whether they were made public and WE NOT INTENDED FOR THE PUBLIC, then thats on the Ministry, not the blogger.

I should also mention that last year when I applied for the sickness benefit, the guy at his desk opened up a PDF, and the Adobe program used was rather outdated. It makes me wonder what software, and what version of the software, they use.

370 posts

Ultimate Geek
+1 received by user: 8


  Reply # 703343 19-Oct-2012 07:43 Send private message

Just sent this email to Paula Bennett:

"Hi Paula,

In light of the MSD security breach, which I assume includes a review of StudyLink IT systems, I request that no information pertaining to me is on the MSD and Studylink servers ? but the continuation of StudyLink payments (loan and allowance), and disability allowance, to still take place, as well as the ability to update my profile on StudyLink?s website ? until an absolute guarantee is given to me that my information is safeguarded in accordance with principal five of the Privacy Act (http://privacy.org.nz/storage-and-security-of-personal-information-principle-five/).

Best,
Stevie"

27 posts

Geek
+1 received by user: 20


  Reply # 703636 19-Oct-2012 17:00 Send private message

StevieT: Just sent this email to Paula Bennett:

"Hi Paula,

In light of the MSD security breach, which I assume includes a review of StudyLink IT systems, I request that no information pertaining to me is on the MSD and Studylink servers ? but the continuation of StudyLink payments (loan and allowance), and disability allowance, to still take place, as well as the ability to update my profile on StudyLink?s website ? until an absolute guarantee is given to me that my information is safeguarded in accordance with principal five of the Privacy Act (http://privacy.org.nz/storage-and-security-of-personal-information-principle-five/).

Best,
Stevie"


Your e-mail makes little sense.

Firstly, why are you asking questions when you are apparently trying to (very poorly) issue a statement (
I request
is not how you start a question it is how you start a statement unless you are some how trying to get Paula to guess if you are actually requesting something or not)

Then what you request is utter nonsense.

You request (although, you TRIED to request as you didn't really)
* That no information about you is on studylink or MSD servers
* That the continuation of loan and allowance payments still take place (seriously, you expect this if they have no information about you?)
* That they continue to allow you to update your 'profile' (when you asked they keep no information on you ? seriously, do you even know what you are saying?)
* You want all of this to continue until they can guarantee that they comply with the law with respect to privacy and instead of quoting the legislation you quote a third party website.

And this doesn't go into the legalities of whether by putting the kiosk there and allowing anyone opening a file/open dialogue to access the information WINZ were not expressly giving permission for the general public to access your info they had stored.

Your e-mail is complete nonsense and has probably been printed out, stuck to a wall somewhere and used as an example on how NOT to write an e-mail to someone.

GG.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Police Camera Van Disguise
Created by Reanalyse, last reply by lNomNoml on 21-Dec-2014 23:33 (75 replies)
Pages... 3 4 5


Do I have the right to return this?
Created by corksta, last reply by kiwibro111 on 21-Dec-2014 23:54 (45 replies)
Pages... 2 3


Slaughter of Innocents
Created by networkn, last reply by networkn on 19-Dec-2014 17:46 (64 replies)
Pages... 3 4 5


Spray Foam Insulation
Created by AACTech, last reply by timbosan on 19-Dec-2014 16:58 (36 replies)
Pages... 2 3


Crew Drinking on Flights - Why!?
Created by networkn, last reply by Geektastic on 22-Dec-2014 09:35 (34 replies)
Pages... 2 3


Couriers starting to charge for redelivery
Created by mattwnz, last reply by rendezvous on 19-Dec-2014 11:45 (78 replies)
Pages... 4 5 6


Google Chromecast now available in New Zealand
Created by freitasm, last reply by michelangelonz on 20-Dec-2014 10:38 (155 replies)
Pages... 9 10 11


forgot how to unlock a car door
Created by joker97, last reply by joker97 on 21-Dec-2014 07:34 (53 replies)
Pages... 2 3 4



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.