|
15th June 2011, 23:25 | #121 | |
A mariachi ogre snorkel
|
Quote:
OH THEY'D JUST DOWNLOAD THE EXPOSED DATABASE FROM THE OPEN LABOUR WEBSITE, OF COURSE |
|
15th June 2011, 23:27 | #122 | |
|
Quote:
__________________
Stay shook. No sook. |
|
15th June 2011, 23:31 | #123 |
|
Maybe they should've sent Peter Goodfellow over to Melbourne to dig up an IT person for them. It's what mates do.
|
15th June 2011, 23:36 | #124 | |
|
Quote:
But looking past that, sure, isolation of roles is a fairly common band-aid to mitigate and contain risks, but it's not a be-all-end-all solution. It's not a magic bullet which fixes everything else wrong with your setup. And you could build something which was actually more secure on a single server than a poorly implemented tiered approach. Pretty sure Sony had more than one server, didn't do them a shitload of good did it?
__________________
Drone. Now with 17% more filling! |
|
15th June 2011, 23:44 | #125 | |
|
Quote:
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
|
15th June 2011, 23:50 | #126 | |
|
Quote:
So having the services split between boxes would have certainly protected innocent National party members in this case, right?
__________________
Stay shook. No sook. |
|
16th June 2011, 00:06 | #127 | |
|
Quote:
That's all. I don't think a debate about hypothetical "better" designs is very useful, because in this case it looks like the problems were a bit more fundamental than how many servers they had. In general if one server is badly run, two is not going to be any better, right? And given one was badly run, I doubt a single bit of this thread and who did what to whom would change if there were two. Or twenty.
__________________
Drone. Now with 17% more filling! |
|
16th June 2011, 00:11 | #128 | |
|
Quote:
__________________
, ______ /l ,[____], l---⌐¬-0lllllll0- ()_) ()_)--o-)_) |
|
16th June 2011, 01:24 | #129 | |
A mariachi ogre snorkel
|
Quote:
|
|
16th June 2011, 07:54 | #130 | |
Ich Bin Ein Grey Lynner
|
Quote:
It was a bad management decision to not treat them as something that had to be kept separate in the first place. For both security and conflict of interest reasons, being that the labour site is supposed to be run by parliamentary services and other sites not. Last edited by smudge : 16th June 2011 at 07:58. |
|
16th June 2011, 08:48 | #131 | |
|
Quote:
__________________
Stay shook. No sook. Last edited by Lightspeed : 16th June 2011 at 08:49. |
|
16th June 2011, 09:04 | #132 | |
Love, Actuary
|
Quote:
Have a light and a button on the network and internet sides of the connection and stand a trained pigeon in the middle. Connected? Absolutely. Likelihood of getting anything unexpected to flowing in either direction? Pretty slim. |
|
16th June 2011, 09:18 | #133 |
I have detailed files
|
So, did the details exposed include the credit card numbers of those making donations? Because if so, they are probably now in breach of contract with their bank, and may have their merchant status revoked...
That's gotta hurt on the run up to a costly venture. |
16th June 2011, 09:22 | #134 | |
|
Quote:
What drone was saying is absolutely correct, theres no such thing as "secure" even if its completely air gapped. Because even then a user is in control of the "air gap" and thus theres a flaw, which could be exploited through the (currently) most common form/successful method of hacking, social engineering. If you think anything else eg "I'm completely secure" you are fooling yourself. "Security" end of the day is all about mitigation. Mitigate as much as possible and put points on risks (normally where a user or admins need access or communication to/from said device is required) completely secure is a myth. Any high-security oriented person worth their salt would agree and only idiots would say they were 100% secure, (see any of the recent lulz etc events as a prime example). I'm not really that keen to get into a long term debate about this as (same angle as drone here, many ways to skin a cat etc etc and this probably isnt the place to discuss "IT best practices" and "meaning of 'nothing is secure'") I can't be arsed rinsing and repeating the same shit thats been said before.
__________________
, ______ /l ,[____], l---⌐¬-0lllllll0- ()_) ()_)--o-)_) Last edited by ^BITES^ : 16th June 2011 at 09:27. |
|
16th June 2011, 10:16 | #135 | |
|
Quote:
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
|
16th June 2011, 10:48 | #136 | |
|
Quote:
Anyone fancy being called Greg Presland ? Better hope that David Garret didn't grab a copy of that dB.
__________________
Spig. Last edited by spigalau : 16th June 2011 at 10:51. |
|
16th June 2011, 11:08 | #137 |
A mariachi ogre snorkel
|
the "oh noes CC details were exposed" thing is a bit of a diversion IMHO. The most damning elements here are:
1. The Labour Party has once again demonstrated its keen ability to fuck up in public at the worst possible time. Hey look everyone, the first significant polling jump for Labour in months--WHOOPS HERE COMES ANOTHER FUCKUP, FORGET THE POLLS LET'S TALK INCOMPETENCE. 2. The Labour Party has shown its donors and members that it can't be trusted to keep their details confidential. That means people will be less likely to donate and join in the future. In an election year, that hurts. 3. A blogger not known for his love of Labour nor for his restraint now has a list of everyone on Labour's database. Every time "concerned mother Jane Smith of Ohakune" comments in an interview that "she is politically neutral but she thinks Anne Tolley is the Antichrist" that list is going to get grepped and we're going to hear that politically-neutral Jane Doe is a Labour Party member and frequent donor, and the story will become a story about Labour trying to influence the media through sock puppets. Fail fail fail. |
16th June 2011, 11:16 | #138 |
|
Lolbour
|
16th June 2011, 11:26 | #139 |
|
Not sure Joe Labour really understands what's happened here, or cares very much.
|
16th June 2011, 11:32 | #140 | |
|
Quote:
__________________
Stay shook. No sook. |
|
16th June 2011, 12:26 | #141 | |
|
Quote:
Again, there's a hugely misguided assumption going on that because good designs have multiple servers that multiple servers is inherently good design. That's just not the case, not in isolation. There are a world of ways you can fuck up a design where number of servers just isn't going to change the outcome. Many many people think they're secure because they've met some checklist or they've spent a lot of money on "security" (cf, Hell), or because they have never been compromised. It's very naive and the day someone takes an interest in your servers you will find out just how quickly you can find your pants around your ankles. In this case, I doubt Labour made any significant design decisions about how this was hosted at all (and almost certainly not what the root cause was). They contracted a company to host things for them, and like a lot of non-technical customers expected said company would do a reasonable job. (I'm ignoring the rest of the non-technical parts of this discussion because honestly it's a mudslinging match I don't think is useful. I suspect if Slater had gotten so much as a 1x1 transparent GIF out of a directory he shouldn't have known about it would have immediately blown up into X hacked Y blah blah blah.)
__________________
Drone. Now with 17% more filling! |
|
16th June 2011, 12:38 | #142 | |
I have detailed files
|
Quote:
|
|
16th June 2011, 13:40 | #143 | ||
|
Quote:
Quote:
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
||
16th June 2011, 18:30 | #144 |
Love, Actuary
|
[quote=^BITES^]so theres a chance, there always is, that was the point./QUOTE]
Yep - the pigeon might die. But it's not a useful position to take. There is a chance of most things happening. For example, there a chance you'll be dead before you next come to this forum. And, that chance is much greater than some of the chances being talked about here. Yet, do you worry about this or talk about it as a possibility or worse mark someone down for not conceding such a chance is real (despite being irrelevant). |
18th June 2011, 01:29 | #145 | |
|
Quote:
__________________
"Take four red capsules, in ten minutes-take two more. Help is on the way." |
|
18th June 2011, 01:54 | #146 |
Stunt Pants
|
Is that bad? I mean, those websites mentioned actually state that they are publicly funded, so it's not exactly a secret.
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner? |
18th June 2011, 08:57 | #147 |
|
Wow, some real good detective work right there. Using Whois to get to the bottom of this conspiracy
|
18th June 2011, 12:06 | #149 |
|
Linking to whaleoil . . . that's a paddlin
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
18th June 2011, 12:11 | #150 |
|
True. But it is he who is digging through the Labour lols atm.
|
18th June 2011, 12:20 | #151 |
|
heh.bugger
__________________
"Take four red capsules, in ten minutes-take two more. Help is on the way." |
18th June 2011, 19:53 | #153 |
|
Douchebags.
So why doesn't any MP want to accept these postcards from the NZEI? Do they fucking hate kids, or is it some kind of parliamentary protocol?
__________________
Stay shook. No sook. |
18th June 2011, 20:58 | #154 |
|
I'd be interested to know the privacy statement associated with the post-cards.
This might clarify if NZEI were permitted to forward the postcards to Moroney to present to the Prime Minister and if after the PM refused them Moroney was permitted to use the information. It looks like Moroney claims the database was used to send a one off response to the signatories letting them know the situation. Ok, then she just forgot to delete the database!?! Not a good look.
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
19th June 2011, 15:36 | #155 | |
|
Quote:
http://www.nzei.org.nz/site/nzeite/f...e_postcard.pdf I wonder if this sill means NZEI providing Labour the emails was a privacy breach?
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong. |
|
20th June 2011, 09:33 | #156 | |
|
Quote:
Especially in this particular case of a web facing internet service which this was specifically referred to (and you still haven't posted anything worth reading on that point ... you're currently arguing semantics of the statement). I'm not exactly shocked here ... you sound like a manager quoting computerworld like you're best mates with Bill Gates because you upgraded to windows 7 at home this weekend. You've gone from best practice to "what is most likely" again .. failing the actual point of the statement (and more so understanding what it meant to this particular issue, still haven't posted anything worth reading on that ....). It is a commonly used term for security (similar to "if you can [physically] touch it security is breached), because only fucking idiots believe they can achieve 100% secure environment (especially where user interaction is required!!!). You clearly fit this bill, and like living in that dream world, continue I don't care. A lot of companies lately have enjoyed that kind of stupid biting them in the ass. Quite the show tbh. As I've said before I don't care to argue the semantics of a commonly used IT security statement/best practice here, more so arguing a statement used by people with a lot higher IQ's and pay rates than myself! Especially with someone that clearly knows fuck all about it ... baselessly arguing semantics.
__________________
, ______ /l ,[____], l---⌐¬-0lllllll0- ()_) ()_)--o-)_) Last edited by ^BITES^ : 20th June 2011 at 09:35. |
|
20th June 2011, 20:55 | #157 | |
Love, Actuary
|
Quote:
My point was that it is not useful observing that nothing is secure since this requires introducing events that have no practical probability of occurrence. In every valid context examined by the direction of your argument risk can be mitigated to the extent that it is acceptable at all levels from the individual up through every legal construct ultimately ending in everything contained under the umbrella of mankind. Most businesses operate at probabilities of insolvency measured in percent. Highly regulated companies (financial services) are almost never required to get down lower than a 0.01% chance of insolvency over the short term. Any part of your argument that involves in aggregate a risk lower than that is irrelevant; theoretically present but utterly uninteresting. Do you now understand? |
|
20th June 2011, 21:10 | #158 | |
HENCE WHY FOREVER ALONE
|
Quote:
__________________
Finger rolling rhythm, ride the horse one hand... |
|
20th June 2011, 22:16 | #159 | |
A mariachi ogre snorkel
|
Quote:
"D" is for DODGY. |
|
21st June 2011, 08:03 | #160 |
Love, Actuary
|
It's easy to act with integrity most of the time because nothing out of the ordinary needs to be done; just ambling along through life will generally speaking let you stay on the right side of the line.
The test comes when something special happens. For example, where you can take advantage of another without them likely finding out. Of course nobody should do this because such an action puts you in the bad-person camp. Political parties get the integrity test more often than ordinary people simply because they're involved in far more things than ordinary people are i.e. exposure to more events means more events that matter come up. labour seem to make a habit of failing the integrity test. For example, not so long ago we saw them comparing increases in gross wage inflation in a situation when they knew two things: First, that the comparison they were making only made send if done on a net-of-tax basis (and the result on this basis was the opposite of what they were claiming). Second, that most people aren't good at mathematics and thus were likely to be fooled by labour's lie. The intent here was to mislead good honest people into believing a significant bare-faced lie that itself was told purely for electioneering purposes. Now we see that same integrity test being failed again. Here we have their union buddies exploiting the naivety of a group of people who wanted to express their view on a matter to harvest contact details of people who might be swayed to vote for labour. On one level labour could win the election. It's normal position is not that different to National. The lefties love them for being a left party. But there in lies the problem - they just keep on telling porkies. Labour is a centre party (most of the time) that seem to be positioning itself as the party that will lie through their teeth every chance they get. This is a bizarre electioneering position to take. The top echelon of that party is obviously going to need to go and they'll spend six years starting again - not that they look in any rush to actually start. No matter though - the other centre party will keep the keel straight. |