NZGames.com Forums
Register FAQ Calendar Mark Forums Read

Go Back   NZGames.com Forums > General > Open Discussion > Politics
User Name
Password

Reply
 
Thread Tools
Old 13th June 2011, 21:23     #41
Ab
A mariachi ogre snorkel
 
In a side-splitting followup to the above post, I see Labour has just realised that the entire file and directory structure of the Labour website, from the web root down, has been publicly visible and searchable for some time. For bonus lols: some Labour IT supergenius has been using that server as a file repository for internal documents. Trivial stuff, like unencrypted SQL and CSV of party membership, donation, and mailing lists.

http://www.geekzone.co.nz/nate/7700

FUCKING. MUPPETS.
  Reply With Quote
Old 13th June 2011, 21:51     #42
smudge
Ich Bin Ein Grey Lynner
 
Apparently ip addresses that belong to machines at the national party hq have been found in the access logs of downloads of those docs from the labour site. heh.
  Reply With Quote
Old 13th June 2011, 21:57     #43
Ab
A mariachi ogre snorkel
 
Given that all those documents were indexed by Google (and still cached) I wouldn't be surprised. Then again, I also wouldn't believe a thing Labour says about this clusterfuck - they'll all be in arse-covering blame-someone-else mode. Hell, I wouldn't believe that anyone there knows what an IP address is.
  Reply With Quote
Old 14th June 2011, 09:00     #44
^BITES^
 
Quote:
Originally Posted by Ab
In a side-splitting followup to the above post, I see Labour has just realised that the entire file and directory structure of the Labour website, from the web root down, has been publicly visible and searchable for some time. For bonus lols: some Labour IT supergenius has been using that server as a file repository for internal documents. Trivial stuff, like unencrypted SQL and CSV of party membership, donation, and mailing lists.

http://www.geekzone.co.nz/nate/7700

FUCKING. MUPPETS.
BAHAHAHAHAAHHA

This and Sonys "Whats an SQL injection" failure .. are epic epic fails of the basics.... no even anything difficult "common sense" by now for anything web facing lol.
__________________
, ______
/l ,[____],
l---⌐¬-0lllllll0-

()_) ()_)--o-)_)
  Reply With Quote
Old 14th June 2011, 09:33     #45
Ab
A mariachi ogre snorkel
 
Want Labour's internal SQL server usernames and passwords? Here, Google's indexed the configs:

http://www.google.com/search?ie=UTF-...rg.nz+password

  Reply With Quote
Old 14th June 2011, 09:55     #46
smudge
Ich Bin Ein Grey Lynner
 
I think Slater's criticism is valid, Labour has the right to have *a* site paid for and maintained by Parliamentary Services. Having it they have multiple campaign sites and their CRM (!) hosted on the same box is probably crossing a line.
  Reply With Quote
Old 14th June 2011, 10:59     #47
ZoSo
 
I was more impressed by how quickly the handwringers over at you-know-where quickly shifted into 'bene bashing' Slater. Extra lols all round.
  Reply With Quote
Old 14th June 2011, 11:54     #48
fixed_truth
 
So who's responsible for this security failure?
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 14th June 2011, 12:14     #49
CCS
Stunt Pants
 
National Party of course!
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner?
  Reply With Quote
Old 14th June 2011, 12:33     #50
fixed_truth
 
I know the National Party were the ones who exploited the lack of security, I'm interested in who was responsible for this security in the first place.
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 14th June 2011, 12:40     #51
smudge
Ich Bin Ein Grey Lynner
 
I've heard that national is claiming that when "the news went around the office" somebody junior there "clicked the links before they realized it was a dumb thing to do".

I think it's funny that Porirua has been exposed as a hotbed of internet hackers.
  Reply With Quote
Old 14th June 2011, 12:57     #52
CCS
Stunt Pants
 
Quote:
Originally Posted by fixed_truth
I know the National Party were the ones who exploited the lack of security
No they didn't. Cameron Slater is not the National Party. That's just a line that The Standard feeds to gullible twats like you.

Quote:
I'm interested in who was responsible for this security in the first place.
Maybe we can blame National anyway. That's usually the thing to do, isn't? Blame National!
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner?
  Reply With Quote
Old 14th June 2011, 13:02     #53
Ab
A mariachi ogre snorkel
 
Quote:
Originally Posted by ZoSo
I was more impressed by how quickly the handwringers over at you-know-where quickly shifted into 'bene bashing' Slater. Extra lols all round.
Gold. Posted by one of the editors of The Standard:

Quote:
for a sickness beneficiary, Slater’s pretty active, eh? Full-time blogging, breaking into websites, hunting, cycling (well, if you can call only being able to cover 20km in 50 minutes on a brand new racing bike ‘cycling’). Might be time for WINZ to take a closer look at this guy who’s living off the public teat.
Fucking bludgers.
  Reply With Quote
Old 14th June 2011, 13:07     #54
CCS
Stunt Pants
 
Labour party. Hating on beneficiaries when it suits them; buying their votes the rest of the time!
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner?
  Reply With Quote
Old 14th June 2011, 13:11     #55
fixed_truth
 
facepalm

Quote:
Originally Posted by CCS
No they didn't. Cameron Slater is not the National Party. That's just a line that The Standard feeds to gullible twats like you.
http://www.nbr.co.nz/article/nationa...leoil-ck-95242
Quote:
The National Party has admitted exploiting a security hole in the Labour Party website
Keep up the facade you're not an idiot, bro.
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 14th June 2011, 13:21     #56
CCS
Stunt Pants
 
Try not to take things at face value. Did you bother to view Slater's youtube that showed how he accessed the site? The one that Ab linked to? The site didn't have an index file. Anybody that viewed the url would have seen what Cameron Slater saw and same goes for anybody browsing from a National IP. When the NBR uses language like "The National Party has admitted exploiting a security hole" they're just dramatising the story and dopes like you accept it. If you'd gone to that url and poked around their wide-open directory structure, your IP address would be in the logs as well. How's this for a headline: FIXED_TRUTH ADMITS EXPLOITING SECURITY HOLE.
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner?
  Reply With Quote
Old 14th June 2011, 13:23     #57
Disinformation
 
Quote:
Originally Posted by fixed_truth
http://www.nbr.co.nz/article/nationa...leoil-ck-95242

Keep up the facade you're not an idiot, bro.
Having read the entire article its far from clear what order things actually happened in.
  Reply With Quote
Old 14th June 2011, 13:27     #58
Ab
A mariachi ogre snorkel
 
Visiting a public URL with a web browser is hardly "exploiting a security hole".
  Reply With Quote
Old 14th June 2011, 13:28     #59
^BITES^
 
Quote:
Originally Posted by Ab
Visiting a public URL with a web browser is hardly "exploiting a security hole".
Exactly

Quote:
Originally Posted by fixed_truth
Keep up the facade you're not an idiot, bro.
Nope ... you're the idiot. CCS is on the money.

This is BASIC ... BASIC IT shit here .... nothing used other than publicly available information.

ZOMG I just hacked the phone book using yellowpages.co.nz ... BAD ASS.
__________________
, ______
/l ,[____],
l---⌐¬-0lllllll0-

()_) ()_)--o-)_)
  Reply With Quote
Old 14th June 2011, 14:12     #60
aR Que
 
Quote:
Just remember who is at fault here: National.
Fucking national!


I thought it was all a joke, till I read the comments, those people are serious O_O

Something about the average voter -> here <-
  Reply With Quote
Old 14th June 2011, 14:17     #61
fixed_truth
 
Quote:
Originally Posted by Ab
Visiting a public URL with a web browser is hardly "exploiting a security hole".
Visiting a URL which gives you access to your oppositions private donor information that obviously wasn't intended to be made public - is exploiting the sites lack of security (even if legal and the info was public).
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 14th June 2011, 14:21     #62
CCS
Stunt Pants
 
There is no exploiting

Keep spinning, brah.
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner?
  Reply With Quote
Old 14th June 2011, 14:30     #63
^BITES^
 
Quote:
Originally Posted by fixed_truth
Visiting a URL which gives you access to your oppositions private donor information that obviously wasn't intended to be made public - is exploiting the sites lack of security (even if legal and the info was public).
Access to publicly available information != Exploit and BAD management (IT and internally).

Using the information to its maximum ability = Exploit

Your assuming the second one, first one we know for sure.

Your car getting pinched, after it being locked down, secured alarmed etc = Burglary/Theft

Leaving your windows down and doors unlocked = Stupid Cunt

They left the door wide open and only have themselves to blame .... but its probably easier to point the finger at the opposition, I'm surprised Labour hasn't dropped in "Anonymous" just because its another fucking buzz word.
__________________
, ______
/l ,[____],
l---⌐¬-0lllllll0-

()_) ()_)--o-)_)

Last edited by ^BITES^ : 14th June 2011 at 14:31.
  Reply With Quote
Old 14th June 2011, 14:42     #64
fixed_truth
 
Quote:
Originally Posted by ^BITES^
Leaving your windows down and doors unlocked = Stupid Cunt


They left the door wide open and only have themselves to blame
*sigh* I'm not saying that whoever was in charge of Labours internet security is not stupid. I'm not saying it's Nationals fault that there was no security.

I'm merely saying that because of the sensitive nature of the material; National took advantage of the situation by accessing that information and keeping it to themselves that this private information was mistakenly made public.
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 14th June 2011, 14:46     #65
CCS
Stunt Pants
 
It's hardly National's obligation to let Labour know that they fucked up their shitty website. National is busy with important shit. Like, y'know, running the country.
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner?
  Reply With Quote
Old 14th June 2011, 14:48     #66
Ab
A mariachi ogre snorkel
 
Quote:
Originally Posted by fixed_truth
National took advantage of the situation by accessing that information and keeping it to themselves that this private information was mistakenly made public.
Oh boo fucking hoo. In the words of leftie blogger and former Labour staffer Phil Quin,

Quote:
This is a contact sport. Don’t blub to the ref when you’ve been unilaterally pantsed.
If Labour's doing something fucking retarded that reveals to the world that they shouldn't be trusted to organise a lolly scramble let alone run the country, and National finds out about it, National is under no obligation whatsoever to tell Labour about it or help them fix it.
  Reply With Quote
Old 14th June 2011, 14:51     #67
Lightspeed
 
Quote:
Originally Posted by ^BITES^
Access to publicly available information != Exploit and BAD management (IT and internally).

Using the information to its maximum ability = Exploit

Your assuming the second one, first one we know for sure.

Your car getting pinched, after it being locked down, secured alarmed etc = Burglary/Theft

Leaving your windows down and doors unlocked = Stupid Cunt
Thanks for those arbitrary definitions.
__________________
Stay shook. No sook.
  Reply With Quote
Old 14th June 2011, 15:35     #68
fixed_truth
 
Quote:
Originally Posted by Ab
Oh boo fucking hoo.
Certainly, you're entitled to your opinion that National shouldn't have disclosed to Labour that their donors financial transactions where public . I hope that you'll be consistent the next time Labour pulls one of these tricks.
Quote:
Originally Posted by Ab
If Labour's doing something fucking retarded that reveals to the world that they shouldn't be trusted to organise a lolly scramble let alone run the country, and National finds out about it, National is under no obligation whatsoever to tell Labour about it or help them fix it.
I see, it's Labour's MPs that are responsible for this rather than the IT security dude. Cool, glad my original question is answered.
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 14th June 2011, 15:40     #69
fixed_truth
 
This is from the NBR
Quote:
For Lowdnes Jordan partner Rick Shera, the Crimes Act comes into play.
Mr Shera told NBR “The test is contained in section 252(1) of the Act.” That is:
Everyone is liable to imprisonment for a term not exceeding two years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.”

“The issue is whether Cameron Slater was authorised to access the material for any purpose. If he wasn’t, or if there was doubt and he just did it anyway without caring – that is, recklessly, then he may be liable.”

“In my view, authorisation carries with it the idea of an intention to allow access and not just an implicit authority through a lack of security, but the issue has never been tested,” Mr Shera said.
note: I have no idea the degree of authority this Lawyers opinion holds.
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 14th June 2011, 15:48     #70
cyc
Objection!
 
The thing Shera doesn't appear to have understood is the "thin ice" principle in criminal law, i.e. you construe the statute in the least restrictive or most favourable way towards the defendant/potential defendant. His idea of authorisation appears to have an additional gloss that "reads up", rather than "reading down" the statute in favour of the potential defendant.

As far as I am aware, this issue is untested in NZ but on the face of it I don't like Shera's interpretation. It might be more "IT aware" or what have you but it's incompatible with how we normally interpret criminal law.
  Reply With Quote
Old 14th June 2011, 15:50     #71
Ab
A mariachi ogre snorkel
 
Quote:
Originally Posted by fixed_truth
I see, it's Labour's MPs that are responsible for this rather than the IT security dude.
The Labour PARTY is responsible for this, and accordingly blame should be laid at the feet of the Party Secretary. If anything even approaching the gravity of this fuckup had happened in Australia the Secretary would have been clearing out his office 5 minutes later.

But for NZ Labour, as usual, it's always someone else's fault. It's all a plot. Those nasty bloggers. That terrible two-faced John Key. The vast right-wing media conspiracy. Labour, from the top down, is incapable of just plain admitting "YES WE FUCKED UP." Instead we get bullshit about "hacking".
  Reply With Quote
Old 14th June 2011, 15:51     #72
^BITES^
 
Quote:
Originally Posted by Lightspeed
Thanks for those arbitrary definitions.
Thanks for not being intellectually dishonest in at least one post in the Politics sub-forum.

Quote:
Originally Posted by fixed_truth
I see, it's Labour's MPs that are responsible for this rather than the IT security dude. Cool, glad my original question is answered.
Who Built/secured the website?
Some moron.

Who hired the IT Security Dude? ("Moron")
Labour.

Labour --> Moron.

When shit hits the fan .. the IT guy fucked up sure .. but the management made it possible for him to fuck up, eg should have been told "SECURE THIS SHIT AS TIGHT AS A FROGS ASS", run on its on framework etc etc all the "Good things". Facts are IT do what they are told or defined to do (see the numerous "customer asked for X but wanted Y" posts by a number of peeps on here).

If I fucked up, I fucked up .. but my company is the one thats in the shit ... not me, they hired and defined what the requirements are. Not the other way around.

Quote:
Originally Posted by fixed_truth
This is from the NBR

note: I have no idea the degree of authority this Lawyers opinion holds.
Thats fine .. but hows that going to go with Google?

They were after all publishing those details on the largest search engine to date...... those cads! Take it to em labour! .. Prrrp .. FAIL.
__________________
, ______
/l ,[____],
l---⌐¬-0lllllll0-

()_) ()_)--o-)_)

Last edited by ^BITES^ : 14th June 2011 at 15:54.
  Reply With Quote
Old 14th June 2011, 15:53     #73
^BITES^
 
Quote:
Originally Posted by cyc
As far as I am aware, this issue is untested in NZ but on the face of it I don't like Shera's interpretation. It might be more "IT aware" or what have you but it's incompatible with how we normally interpret criminal law.
/agree
__________________
, ______
/l ,[____],
l---⌐¬-0lllllll0-

()_) ()_)--o-)_)
  Reply With Quote
Old 14th June 2011, 15:55     #74
Ab
A mariachi ogre snorkel
 
Quote:
Originally Posted by fixed_truth
This is from the NBR:

'“In my view, authorisation carries with it the idea of an intention to allow access and not just an implicit authority through a lack of security, but the issue has never been tested,” Mr Shera said.'
Apache has directory listings disabled in httpd.conf by default. For the directory tree to have been visible and indexable, someone had to change that setting and turn them on. Sounds like intention to allow access to me, m'lud!
  Reply With Quote
Old 14th June 2011, 19:52     #75
MrTTTT
 
labour is embarrassing
  Reply With Quote
Old 14th June 2011, 20:16     #76
DrTiTus
HENCE WHY FOREVER ALONE
 
Quote:
Originally Posted by Ab
Apache has directory listings disabled in httpd.conf by default.
Not sure this is 100% correct. "Options All" seems to be the default, which includes indexes. I don't think it's any less responsible to allow this to happen though - I'm in the habit of touch'ing index.php/htm to ensure the index option is largely irrelevant.
__________________
Finger rolling rhythm, ride the horse one hand...
  Reply With Quote
Old 14th June 2011, 20:17     #77
fixed_truth
 
Quote:
Originally Posted by Ab
The Labour PARTY is responsible for this, and accordingly blame should be laid at the feet of the Party Secretary.
I agree that that the Labour Party might have a duty of care; but wont the investigation make clearer where/how much blame should be laid? I mean do we know that a company wasn't contracted to keep the website secure?
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.

Last edited by fixed_truth : 14th June 2011 at 20:21.
  Reply With Quote
Old 15th June 2011, 11:14     #78
^BITES^
 
Quote:
Originally Posted by fixed_truth
I agree that that the Labour Party might have a duty of care; but wont the investigation make clearer where/how much blame should be laid? I mean do we know that a company wasn't contracted to keep the website secure?
IT DOESNT FUCKING MATTER aka ALL of it is on Labour. Honestly have you worked in a company before?

They hired said company, they are responsible for what that company does for them under their direction, thats what IT does. If they "purposely" leaked/made it insecure/failed to do their job, then grats labour on making a shit choice on companies ... they are still responsible.

Fact are this could have ALL been avoided (or at minimum mitigated better) with a SIMPLE 2-4 grand penetration test from a number of independant companies, which is still Labours responsibility.

Stop trying to pass the buck off to someone else .... its their fuck up ... deal with it.

Quote:
Originally Posted by DrTiTus
Not sure this is 100% correct. "Options All" seems to be the default, which includes indexes. I don't think it's any less responsible to allow this to happen though - I'm in the habit of touch'ing index.php/htm to ensure the index option is largely irrelevant.
Checked on my fresh distro, "Options Indexes FollowSymLinks MultiViews" so your probably right.

However "How to secure apache" in google comes up with all the basic information that would have almost completely avoided this....... (but .. they should already know this or hired someone that did.)
__________________
, ______
/l ,[____],
l---⌐¬-0lllllll0-

()_) ()_)--o-)_)

Last edited by ^BITES^ : 15th June 2011 at 11:16.
  Reply With Quote
Old 15th June 2011, 11:51     #79
fixed_truth
 
Quote:
Originally Posted by ^BITES^
IT DOESNT FUCKING MATTER aka ALL of it is on Labour. . .
Stop trying to pass the buck off to someone else .... its their fuck up ... deal with it.
Of course ultimately the buck stops with the Labour Party. But what you don't seem to understand is that in the difference between Labour being careless vs a hired legitimate IT company not doing their job properly - is a difference in what action should be taken. I.e if the latter is true, I think that firing the Party Secretary is a bit severe.

If the latter scenario IS true, who do you think should be held accountable in the Labour Party and what should happen to them?
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 15th June 2011, 12:11     #80
^BITES^
 
Quote:
Originally Posted by fixed_truth
Of course ultimately the buck stops with the Labour Party. But what you don't seem to understand is that in the difference between Labour being careless vs a hired legitimate IT company not doing their job properly - is a difference in what action should be taken. I.e if the latter is true, I think that firing the Party Secretary is a bit severe.

If the latter scenario IS true, who do you think should be held accountable in the Labour Party and what should happen to them?
No I do ... I know because thats the industry I work in. Especially IT and moreso IT security, for a large company (nz standards anyway ~600 users).

If the IT company was not doing their job, then they hired a shit company or the requirements were badly defined or managed. This would have been found through some BASIC analysis ... fucking up apache settings on Indexes is fucking nub shit. Shit even just a search on google would have pointed out how fail this was.
Further to that (could have read the whole post rather than me repeating it), an independant review of "Externally hosted" kit is fairly normal for something as "critical" as this appears to be (user data especially!), its not hard ... or expensive and would have avoided/mitigated a lot of this.

So based on your daft logic, how exactly does failure to check critical work, or failure to define the service parameters to a contracted service indicate the ability to run a country?

Can't manage a single website ... but wants to manage the country. Solid logic there. Ahhh no.

(FYI I don't vote or support labour/national/anyone in case you are curious about my political agenda here .... this is basic fucking up at management/IT level of the extreme basics.)

My guess is in a "gun related crime" you blame the gun for killing someone. Bout right?
__________________
, ______
/l ,[____],
l---⌐¬-0lllllll0-

()_) ()_)--o-)_)
  Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump



© Copyright NZGames.com 1996-2023
Site paid for by members (love you guys)