Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2122 posts

Uber Geek

Trusted

# 255729 26-Aug-2019 14:30
2 people support this post
Send private message quote this post

I'm surprised that I can't find an existing GZ thread on this given it made TVNZ One's headlines last night

 

Now the follow comments are my own an in no way reflect my current employer

 

A couple of concerns

 

  • The Ministry isn't being transparent about the issue

     

    • For example where was the data being hosted and who was the external company responsible for operating the service
  • The lack of governance for this project

     

    • The appears to have been no security audit of a service that contains fairly critical confidential information
  • No one is being held accountable

     

    • and yet they've know about the issue for some time before deciding to go public.

What I'd personally like to see

 

  • Security review of all NZ Govt services with a focus on data security
  • Immediate on-shoring of all NZ Govt data
  • Disclosure portal so that NZ nationals/residents can request a list of any external parties your data is being shared with

     

    • broken down by agency
    • for example passport data being shared for immigration purposes
    • options to opt out of data sharing

I'm personally unhappy to see my personal data being hosted offshore by Government departments, but it appears to be an increasing trend as departments move to cloud based platforms.

 

 

 

 





Generally known online as OpenMedia, now working for Red Hat APAC a Technology Evangelist and Product Manager. Still playing with MythTV and digital media on the side.


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Cloud Guru
4060 posts

Uber Geek

Trusted
Snowflake
Subscriber

  # 2306206 26-Aug-2019 14:39
5 people support this post
Send private message quote this post

"Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.




1126 posts

Uber Geek


  # 2306210 26-Aug-2019 14:50
Send private message quote this post

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

 
 
 
 


468 posts

Ultimate Geek


  # 2306252 26-Aug-2019 15:41
Send private message quote this post

Big cloud providers are certain to have significantly better security available than small local providers who haven’t invested in specialists. This breach illustrates this perfectly.




BlinkyBill


1126 posts

Uber Geek


  # 2306261 26-Aug-2019 15:52
One person supports this post
Send private message quote this post

Yeah the only guys i'd trust in NZ for cloud like this would be Catalyst

 

 

 

edit:// Govt Dept's also have the ISM which is a pretty good framework for this under the PSR. I doubt the root cause of this issue is lacking policy but lacking implementation https://www.nzism.gcsb.govt.nz/





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

Will not stab you
237 posts

Master Geek

Subscriber

  # 2306280 26-Aug-2019 16:16
Send private message quote this post

Beccara:

 

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

 

 

Can't the AU govt now demand the encryption keys and/or backdoors to all data stored in the AU?

 

I recall some chatter about how no data stored in the AU can be GDPR compliant.

 

https://iapp.org/news/a/australias-anti-encryption-collision-with-gdpr-sub-processing/





Recursion: See recursion.
--
“It is important not to let the perfect become the enemy of the good, even when you can agree on what perfect is. Doubly so when you can't. As unpleasant as it is to be trapped by past mistakes, you can't make any progress by being afraid of your own shadow during design.”

     --Greg Hudson, Subversion developer

6973 posts

Uber Geek

Trusted
Subscriber

  # 2306282 26-Aug-2019 16:18
Send private message quote this post

Not sure if I heard right, but was not the web site that gathered the info in the first place a wordpress one [rolls eyes] if so then not very clever.

 

Cyril


21314 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2306283 26-Aug-2019 16:19
2 people support this post
Send private message quote this post

As a result of having no culture or heritage, thankfully I am unaffected by this :)

 

 


 
 
 
 


63 posts

Master Geek


  # 2306308 26-Aug-2019 17:17
Send private message quote this post

BuffyNZ:

 

Beccara:

 

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

 

 

Can't the AU govt now demand the encryption keys and/or backdoors to all data stored in the AU?

 

I recall some chatter about how no data stored in the AU can be GDPR compliant.

 

https://iapp.org/news/a/australias-anti-encryption-collision-with-gdpr-sub-processing/

 

 

 

 

yes they can, law changed Dec 2018


Lock him up!
10688 posts

Uber Geek

Lifetime subscriber

  # 2306356 26-Aug-2019 17:39
Send private message quote this post

openmedia:

 

I'm surprised that I can't find an existing GZ thread on this given it made TVNZ One's headlines last night

 

 

Actually, I did start one in Politics yesterday afternoon but no-one responded.

 

 





I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney
 




2122 posts

Uber Geek

Trusted

  # 2306406 26-Aug-2019 19:14
Send private message quote this post

Regs: "Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.

 

 

 

Except I don't my data to be requested by the AU or US Governments without my knowledge or permission.





Generally known online as OpenMedia, now working for Red Hat APAC a Technology Evangelist and Product Manager. Still playing with MythTV and digital media on the side.


Cloud Guru
4060 posts

Uber Geek

Trusted
Snowflake
Subscriber

  # 2306425 26-Aug-2019 20:01
2 people support this post
Send private message quote this post

openmedia:

Regs: "Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.


 


Except I don't my data to be requested by the AU or US Governments without my knowledge or permission.



A lot of cloud solutions can be configured so that the keys to decrypt are only in the control of the company who buys the service. Not much AU/US can do in that situation except come at the company asking for the keys.

Your data most likely will be easier for a 3rd party to "take" in a local providers infrastructure - where they have less money to spend on threat protections, and information protection.




1126 posts

Uber Geek


  # 2306474 26-Aug-2019 21:21
Send private message quote this post

If a state wants your data it will get your data no matter where it is. There's a reason security levels jump in terms of cost and manpower when your threat model is a state level actor





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

21 posts

Geek


  # 2306481 26-Aug-2019 21:31
Send private message quote this post

cyril7:

 

Not sure if I heard right, but was not the web site that gathered the info in the first place a wordpress one [rolls eyes] if so then not very clever.

 

Cyril

 

 

I looked up the Google cache, and yes, it is (or was) a Wordpress site, using the Divi drag and drop page builder, so likely built by a designer, not a developer from the look of things.

 

Even worse, looking at the source code, it looks as though it requires Flash!

 

I've seen some pretty dodgy stuff at times, probably more so from designers, but also sometimes from developers.

 

  • Using the same password easily guessable password for multiple websites for the admin admin login. 
  • Using Wordpress with a stack of plugins, with no idea of whether they're secure or not.
  • Using libraries with known XSS vulnerabilities.
  • Sites running on http instead of https even though offerings like letsencrypt make https trivial to implement. 

I'm a bit disappointed though that the government response is now that only a limited range of suppliers will be considered in future, as this is likely to lock out small providers who do make an effort to take more care with security.

 

It can be hard enough competing with the Wordpress crowd, without them giving the industry a bad name.


108 posts

Master Geek

Microsoft NZ

  # 2306628 27-Aug-2019 10:13
One person supports this post
Send private message quote this post

https://www.reseller.co.nz/article/665671/government-mandates-use-approved-ict-providers-after-security-failure/

 

Govt Mandate on ICT providers sounds like a reasonable response. The issue isn't the hosting location, it is the people rolling it out without being competent. I think what Microsoft and Amazon are investing in their hosting is not able to be reproduced onshore in terms of the infrastructure and levels of security. But if you use Admin/Admin as the credentials to access, there's no helping you.


468 posts

Ultimate Geek


  # 2306635 27-Aug-2019 10:35
Send private message quote this post

The same sort of people who established the approved providers list selected the provider for this Culture and Heritage website. That is, Public Servants.




BlinkyBill


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Arlo unveils its first video doorbell
Posted 21-Oct-2019 08:27


New Zealand students shortlisted for James Dyson Award
Posted 21-Oct-2019 08:18


Norton LifeLock Launches Norton 360
Posted 21-Oct-2019 08:11


Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18


Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.