Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


openmedia

3324 posts

Uber Geek

Trusted

#255729 26-Aug-2019 14:30
Send private message

I'm surprised that I can't find an existing GZ thread on this given it made TVNZ One's headlines last night

 

Now the follow comments are my own an in no way reflect my current employer

 

A couple of concerns

 

  • The Ministry isn't being transparent about the issue

     

    • For example where was the data being hosted and who was the external company responsible for operating the service
  • The lack of governance for this project

     

    • The appears to have been no security audit of a service that contains fairly critical confidential information
  • No one is being held accountable

     

    • and yet they've know about the issue for some time before deciding to go public.

What I'd personally like to see

 

  • Security review of all NZ Govt services with a focus on data security
  • Immediate on-shoring of all NZ Govt data
  • Disclosure portal so that NZ nationals/residents can request a list of any external parties your data is being shared with

     

    • broken down by agency
    • for example passport data being shared for immigration purposes
    • options to opt out of data sharing

I'm personally unhappy to see my personal data being hosted offshore by Government departments, but it appears to be an increasing trend as departments move to cloud based platforms.

 

 

 

 





Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Regs
4066 posts

Uber Geek

Trusted
Snowflake

  #2306206 26-Aug-2019 14:39
Send private message

"Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.






Beccara
1469 posts

Uber Geek

ID Verified

  #2306210 26-Aug-2019 14:50
Send private message

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

BlinkyBill
1443 posts

Uber Geek
Inactive user


  #2306252 26-Aug-2019 15:41
Send private message

Big cloud providers are certain to have significantly better security available than small local providers who haven’t invested in specialists. This breach illustrates this perfectly.



Beccara
1469 posts

Uber Geek

ID Verified

  #2306261 26-Aug-2019 15:52
Send private message

Yeah the only guys i'd trust in NZ for cloud like this would be Catalyst

 

 

 

edit:// Govt Dept's also have the ISM which is a pretty good framework for this under the PSR. I doubt the root cause of this issue is lacking policy but lacking implementation https://www.nzism.gcsb.govt.nz/





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

BuffyNZ
241 posts

Master Geek


  #2306280 26-Aug-2019 16:16
Send private message

Beccara:

 

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

 

 

Can't the AU govt now demand the encryption keys and/or backdoors to all data stored in the AU?

 

I recall some chatter about how no data stored in the AU can be GDPR compliant.

 

https://iapp.org/news/a/australias-anti-encryption-collision-with-gdpr-sub-processing/





Recursion: See recursion.
--
“It is important not to let the perfect become the enemy of the good, even when you can agree on what perfect is. Doubly so when you can't. As unpleasant as it is to be trapped by past mistakes, you can't make any progress by being afraid of your own shadow during design.”

     --Greg Hudson, Subversion developer


cyril7
9058 posts

Uber Geek

ID Verified
Trusted
Subscriber

  #2306282 26-Aug-2019 16:18
Send private message

Not sure if I heard right, but was not the web site that gathered the info in the first place a wordpress one [rolls eyes] if so then not very clever.

 

Cyril


networkn
Networkn
32349 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2306283 26-Aug-2019 16:19
Send private message

As a result of having no culture or heritage, thankfully I am unaffected by this :)

 

 


 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
nztim
3812 posts

Uber Geek

ID Verified
Trusted
TEAMnetwork
Subscriber

  #2306308 26-Aug-2019 17:17
Send private message

BuffyNZ:

 

Beccara:

 

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

 

 

Can't the AU govt now demand the encryption keys and/or backdoors to all data stored in the AU?

 

I recall some chatter about how no data stored in the AU can be GDPR compliant.

 

https://iapp.org/news/a/australias-anti-encryption-collision-with-gdpr-sub-processing/

 

 

 

 

yes they can, law changed Dec 2018





Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 


Rikkitic
Awrrr
18657 posts

Uber Geek

Lifetime subscriber

  #2306356 26-Aug-2019 17:39
Send private message

openmedia:

 

I'm surprised that I can't find an existing GZ thread on this given it made TVNZ One's headlines last night

 

 

Actually, I did start one in Politics yesterday afternoon but no-one responded.

 

 





Plesse igmore amd axxept applogies in adbance fir anu typos

 


 


openmedia

3324 posts

Uber Geek

Trusted

  #2306406 26-Aug-2019 19:14
Send private message

Regs: "Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.

 

 

 

Except I don't my data to be requested by the AU or US Governments without my knowledge or permission.





Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.


Regs
4066 posts

Uber Geek

Trusted
Snowflake

  #2306425 26-Aug-2019 20:01
Send private message

openmedia:

Regs: "Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.


 


Except I don't my data to be requested by the AU or US Governments without my knowledge or permission.



A lot of cloud solutions can be configured so that the keys to decrypt are only in the control of the company who buys the service. Not much AU/US can do in that situation except come at the company asking for the keys.

Your data most likely will be easier for a 3rd party to "take" in a local providers infrastructure - where they have less money to spend on threat protections, and information protection.




Beccara
1469 posts

Uber Geek

ID Verified

  #2306474 26-Aug-2019 21:21
Send private message

If a state wants your data it will get your data no matter where it is. There's a reason security levels jump in terms of cost and manpower when your threat model is a state level actor





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

VirtualKiwi
29 posts

Geek


  #2306481 26-Aug-2019 21:31
Send private message

cyril7:

 

Not sure if I heard right, but was not the web site that gathered the info in the first place a wordpress one [rolls eyes] if so then not very clever.

 

Cyril

 

 

I looked up the Google cache, and yes, it is (or was) a Wordpress site, using the Divi drag and drop page builder, so likely built by a designer, not a developer from the look of things.

 

Even worse, looking at the source code, it looks as though it requires Flash!

 

I've seen some pretty dodgy stuff at times, probably more so from designers, but also sometimes from developers.

 

  • Using the same password easily guessable password for multiple websites for the admin admin login. 
  • Using Wordpress with a stack of plugins, with no idea of whether they're secure or not.
  • Using libraries with known XSS vulnerabilities.
  • Sites running on http instead of https even though offerings like letsencrypt make https trivial to implement. 

I'm a bit disappointed though that the government response is now that only a limited range of suppliers will be considered in future, as this is likely to lock out small providers who do make an effort to take more care with security.

 

It can be hard enough competing with the Wordpress crowd, without them giving the industry a bad name.


Jogre
182 posts

Master Geek


  #2306628 27-Aug-2019 10:13
Send private message

https://www.reseller.co.nz/article/665671/government-mandates-use-approved-ict-providers-after-security-failure/

 

Govt Mandate on ICT providers sounds like a reasonable response. The issue isn't the hosting location, it is the people rolling it out without being competent. I think what Microsoft and Amazon are investing in their hosting is not able to be reproduced onshore in terms of the infrastructure and levels of security. But if you use Admin/Admin as the credentials to access, there's no helping you.


BlinkyBill
1443 posts

Uber Geek
Inactive user


  #2306635 27-Aug-2019 10:35
Send private message

The same sort of people who established the approved providers list selected the provider for this Culture and Heritage website. That is, Public Servants.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.