|
13th June 2011, 22:23 | #41 |
A mariachi ogre snorkel
|
In a side-splitting followup to the above post, I see Labour has just realised that the entire file and directory structure of the Labour website, from the web root down, has been publicly visible and searchable for some time. For bonus lols: some Labour IT supergenius has been using that server as a file repository for internal documents. Trivial stuff, like unencrypted SQL and CSV of party membership, donation, and mailing lists.
http://www.geekzone.co.nz/nate/7700 FUCKING. MUPPETS. |
13th June 2011, 22:51 | #42 |
Ich Bin Ein Grey Lynner
|
Apparently ip addresses that belong to machines at the national party hq have been found in the access logs of downloads of those docs from the labour site. heh.
|
13th June 2011, 22:57 | #43 |
A mariachi ogre snorkel
|
Given that all those documents were indexed by Google (and still cached) I wouldn't be surprised. Then again, I also wouldn't believe a thing Labour says about this clusterfuck - they'll all be in arse-covering blame-someone-else mode. Hell, I wouldn't believe that anyone there knows what an IP address is.
|
14th June 2011, 10:00 | #44 | |
|
Quote:
This and Sonys "Whats an SQL injection" failure .. are epic epic fails of the basics.... no even anything difficult "common sense" by now for anything web facing lol.
__________________
, ______ /l ,[____], l---⌐¬-0lllllll0- ()_) ()_)--o-)_) |
|
14th June 2011, 10:33 | #45 |
A mariachi ogre snorkel
|
Want Labour's internal SQL server usernames and passwords? Here, Google's indexed the configs:
http://www.google.com/search?ie=UTF-...rg.nz+password |
14th June 2011, 10:55 | #46 |
Ich Bin Ein Grey Lynner
|
I think Slater's criticism is valid, Labour has the right to have *a* site paid for and maintained by Parliamentary Services. Having it they have multiple campaign sites and their CRM (!) hosted on the same box is probably crossing a line.
|
14th June 2011, 11:59 | #47 |
|
I was more impressed by how quickly the handwringers over at you-know-where quickly shifted into 'bene bashing' Slater. Extra lols all round.
|
14th June 2011, 12:54 | #48 |
|
So who's responsible for this security failure?
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
14th June 2011, 13:14 | #49 |
Stunt Pants
|
National Party of course!
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner? |
14th June 2011, 13:33 | #50 |
|
I know the National Party were the ones who exploited the lack of security, I'm interested in who was responsible for this security in the first place.
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
14th June 2011, 13:40 | #51 |
Ich Bin Ein Grey Lynner
|
I've heard that national is claiming that when "the news went around the office" somebody junior there "clicked the links before they realized it was a dumb thing to do".
I think it's funny that Porirua has been exposed as a hotbed of internet hackers. |
14th June 2011, 13:57 | #52 | ||
Stunt Pants
|
Quote:
Quote:
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner? |
||
14th June 2011, 14:02 | #53 | ||
A mariachi ogre snorkel
|
Quote:
Quote:
|
||
14th June 2011, 14:07 | #54 |
Stunt Pants
|
Labour party. Hating on beneficiaries when it suits them; buying their votes the rest of the time!
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner? |
14th June 2011, 14:11 | #55 | ||
|
Quote:
Quote:
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
||
14th June 2011, 14:21 | #56 |
Stunt Pants
|
Try not to take things at face value. Did you bother to view Slater's youtube that showed how he accessed the site? The one that Ab linked to? The site didn't have an index file. Anybody that viewed the url would have seen what Cameron Slater saw and same goes for anybody browsing from a National IP. When the NBR uses language like "The National Party has admitted exploiting a security hole" they're just dramatising the story and dopes like you accept it. If you'd gone to that url and poked around their wide-open directory structure, your IP address would be in the logs as well. How's this for a headline: FIXED_TRUTH ADMITS EXPLOITING SECURITY HOLE.
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner? |
14th June 2011, 14:23 | #57 | |
|
Quote:
|
|
14th June 2011, 14:27 | #58 |
A mariachi ogre snorkel
|
Visiting a public URL with a web browser is hardly "exploiting a security hole".
|
14th June 2011, 14:28 | #59 | ||
|
Quote:
Quote:
This is BASIC ... BASIC IT shit here .... nothing used other than publicly available information. ZOMG I just hacked the phone book using yellowpages.co.nz ... BAD ASS.
__________________
, ______ /l ,[____], l---⌐¬-0lllllll0- ()_) ()_)--o-)_) |
||
14th June 2011, 15:12 | #60 | |
|
Quote:
I thought it was all a joke, till I read the comments, those people are serious O_O Something about the average voter -> here <- |
|
14th June 2011, 15:17 | #61 | |
|
Quote:
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
|
14th June 2011, 15:21 | #62 |
Stunt Pants
|
There is no exploiting
Keep spinning, brah.
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner? |
14th June 2011, 15:30 | #63 | |
|
Quote:
Using the information to its maximum ability = Exploit Your assuming the second one, first one we know for sure. Your car getting pinched, after it being locked down, secured alarmed etc = Burglary/Theft Leaving your windows down and doors unlocked = Stupid Cunt They left the door wide open and only have themselves to blame .... but its probably easier to point the finger at the opposition, I'm surprised Labour hasn't dropped in "Anonymous" just because its another fucking buzz word.
__________________
, ______ /l ,[____], l---⌐¬-0lllllll0- ()_) ()_)--o-)_) Last edited by ^BITES^ : 14th June 2011 at 15:31. |
|
14th June 2011, 15:42 | #64 | |
|
Quote:
I'm merely saying that because of the sensitive nature of the material; National took advantage of the situation by accessing that information and keeping it to themselves that this private information was mistakenly made public.
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
|
14th June 2011, 15:46 | #65 |
Stunt Pants
|
It's hardly National's obligation to let Labour know that they fucked up their shitty website. National is busy with important shit. Like, y'know, running the country.
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner? |
14th June 2011, 15:48 | #66 | ||
A mariachi ogre snorkel
|
Quote:
Quote:
|
||
14th June 2011, 15:51 | #67 | |
|
Quote:
__________________
Stay shook. No sook. |
|
14th June 2011, 16:35 | #68 | ||
|
Quote:
Quote:
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
||
14th June 2011, 16:40 | #69 | |
|
This is from the NBR
Quote:
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
|
14th June 2011, 16:48 | #70 |
Objection!
|
The thing Shera doesn't appear to have understood is the "thin ice" principle in criminal law, i.e. you construe the statute in the least restrictive or most favourable way towards the defendant/potential defendant. His idea of authorisation appears to have an additional gloss that "reads up", rather than "reading down" the statute in favour of the potential defendant.
As far as I am aware, this issue is untested in NZ but on the face of it I don't like Shera's interpretation. It might be more "IT aware" or what have you but it's incompatible with how we normally interpret criminal law. |
14th June 2011, 16:50 | #71 | |
A mariachi ogre snorkel
|
Quote:
But for NZ Labour, as usual, it's always someone else's fault. It's all a plot. Those nasty bloggers. That terrible two-faced John Key. The vast right-wing media conspiracy. Labour, from the top down, is incapable of just plain admitting "YES WE FUCKED UP." Instead we get bullshit about "hacking". |
|
14th June 2011, 16:51 | #72 | |||
|
Quote:
Quote:
Some moron. Who hired the IT Security Dude? ("Moron") Labour. Labour --> Moron. When shit hits the fan .. the IT guy fucked up sure .. but the management made it possible for him to fuck up, eg should have been told "SECURE THIS SHIT AS TIGHT AS A FROGS ASS", run on its on framework etc etc all the "Good things". Facts are IT do what they are told or defined to do (see the numerous "customer asked for X but wanted Y" posts by a number of peeps on here). If I fucked up, I fucked up .. but my company is the one thats in the shit ... not me, they hired and defined what the requirements are. Not the other way around. Quote:
They were after all publishing those details on the largest search engine to date...... those cads! Take it to em labour! .. Prrrp .. FAIL.
__________________
, ______ /l ,[____], l---⌐¬-0lllllll0- ()_) ()_)--o-)_) Last edited by ^BITES^ : 14th June 2011 at 16:54. |
|||
14th June 2011, 16:53 | #73 | |
|
Quote:
__________________
, ______ /l ,[____], l---⌐¬-0lllllll0- ()_) ()_)--o-)_) |
|
14th June 2011, 16:55 | #74 | |
A mariachi ogre snorkel
|
Quote:
|
|
14th June 2011, 20:52 | #75 |
|
labour is embarrassing
|
14th June 2011, 21:16 | #76 | |
HENCE WHY FOREVER ALONE
|
Quote:
__________________
Finger rolling rhythm, ride the horse one hand... |
|
14th June 2011, 21:17 | #77 | |
|
Quote:
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. Last edited by fixed_truth : 14th June 2011 at 21:21. |
|
15th June 2011, 12:14 | #78 | ||
|
Quote:
They hired said company, they are responsible for what that company does for them under their direction, thats what IT does. If they "purposely" leaked/made it insecure/failed to do their job, then grats labour on making a shit choice on companies ... they are still responsible. Fact are this could have ALL been avoided (or at minimum mitigated better) with a SIMPLE 2-4 grand penetration test from a number of independant companies, which is still Labours responsibility. Stop trying to pass the buck off to someone else .... its their fuck up ... deal with it. Quote:
However "How to secure apache" in google comes up with all the basic information that would have almost completely avoided this....... (but .. they should already know this or hired someone that did.)
__________________
, ______ /l ,[____], l---⌐¬-0lllllll0- ()_) ()_)--o-)_) Last edited by ^BITES^ : 15th June 2011 at 12:16. |
||
15th June 2011, 12:51 | #79 | |
|
Quote:
If the latter scenario IS true, who do you think should be held accountable in the Labour Party and what should happen to them?
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
|
15th June 2011, 13:11 | #80 | |
|
Quote:
If the IT company was not doing their job, then they hired a shit company or the requirements were badly defined or managed. This would have been found through some BASIC analysis ... fucking up apache settings on Indexes is fucking nub shit. Shit even just a search on google would have pointed out how fail this was. Further to that (could have read the whole post rather than me repeating it), an independant review of "Externally hosted" kit is fairly normal for something as "critical" as this appears to be (user data especially!), its not hard ... or expensive and would have avoided/mitigated a lot of this. So based on your daft logic, how exactly does failure to check critical work, or failure to define the service parameters to a contracted service indicate the ability to run a country? Can't manage a single website ... but wants to manage the country. Solid logic there. Ahhh no. (FYI I don't vote or support labour/national/anyone in case you are curious about my political agenda here .... this is basic fucking up at management/IT level of the extreme basics.) My guess is in a "gun related crime" you blame the gun for killing someone. Bout right?
__________________
, ______ /l ,[____], l---⌐¬-0lllllll0- ()_) ()_)--o-)_) |
|