NZGames.com Forums
Register FAQ Calendar Mark Forums Read

Go Back   NZGames.com Forums > General > Open Discussion > Politics
User Name
Password

Reply
 
Thread Tools
Old 15th June 2011, 22:25     #121
Ab
A mariachi ogre snorkel
 
Quote:
Originally Posted by fixed_truth
Again, there's no obligation to the Labour Party. I think that there's an obligation to the citizens who's confidential information was there for the taking without them knowing.
And how exactly would National know which fine upstanding citizens were at risk?

OH THEY'D JUST DOWNLOAD THE EXPOSED DATABASE FROM THE OPEN LABOUR WEBSITE, OF COURSE
  Reply With Quote
Old 15th June 2011, 22:27     #122
Lightspeed
 
o_O

Quote:
Originally Posted by drone
lolwhut.

Are you seriously claiming what makes you secure is different servers?

This whole thread is providing great additions for my "Do Not Hire" list.
That would be part of a secure implementation of such services, wouldn't it?
__________________
Stay shook. No sook.
  Reply With Quote
Old 15th June 2011, 22:31     #123
ZoSo
 
Maybe they should've sent Peter Goodfellow over to Melbourne to dig up an IT person for them. It's what mates do.
  Reply With Quote
Old 15th June 2011, 22:36     #124
drone
 
Quote:
Originally Posted by Lightspeed
That would be part of a secure implementation of such services, wouldn't it?
Bluntly, nothing is secure. You allow data to pass between the Internet and some systems, no matter how indirect, and there will be a way to attack it.

But looking past that, sure, isolation of roles is a fairly common band-aid to mitigate and contain risks, but it's not a be-all-end-all solution. It's not a magic bullet which fixes everything else wrong with your setup. And you could build something which was actually more secure on a single server than a poorly implemented tiered approach.

Pretty sure Sony had more than one server, didn't do them a shitload of good did it?
__________________
Drone. Now with 17% more filling!
  Reply With Quote
Old 15th June 2011, 22:44     #125
fixed_truth
 
Quote:
Originally Posted by Ab
And how exactly would National know which fine upstanding citizens were at risk?

OH THEY'D JUST DOWNLOAD THE EXPOSED DATABASE FROM THE OPEN LABOUR WEBSITE, OF COURSE
I'm not sure your point. They wouldn't have to report it to the people at risk.
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 15th June 2011, 22:50     #126
Lightspeed
 
Quote:
Originally Posted by drone
Bluntly, nothing is secure. You allow data to pass between the Internet and some systems, no matter how indirect, and there will be a way to attack it.

But looking past that, sure, isolation of roles is a fairly common band-aid to mitigate and contain risks, but it's not a be-all-end-all solution. It's not a magic bullet which fixes everything else wrong with your setup. And you could build something which was actually more secure on a single server than a poorly implemented tiered approach.

Pretty sure Sony had more than one server, didn't do them a shitload of good did it?
Well, I think the last few pages have been about how Labour's servers weren't attacked, rather they were casually perused by innocent victims who unwittingly stumbled across and naively acquired the data. Victims who are being made out to be evil villains by left-wing nutters on this forum.

So having the services split between boxes would have certainly protected innocent National party members in this case, right?
__________________
Stay shook. No sook.
  Reply With Quote
Old 15th June 2011, 23:06     #127
drone
 
Quote:
Originally Posted by Lightspeed
Well, I think the last few pages have been about how Labour's servers weren't attacked, rather they were casually perused by innocent victims who unwittingly stumbled across and naively acquired the data. Victims who are being made out to be evil villains by left-wing nutters on this forum.

So having the services split between boxes would have certainly protected innocent National party members in this case, right?
TBH I don't really care about whether National or Labour or whoever is being attacked, or who is responsible for "cover ups" and car chases and whatever else the movie plot in their brain has. I merely noted that immediately saying "Hey, we're secure because we've got two servers, ha ha they weren't because they had one" is naive.

That's all. I don't think a debate about hypothetical "better" designs is very useful, because in this case it looks like the problems were a bit more fundamental than how many servers they had. In general if one server is badly run, two is not going to be any better, right?

And given one was badly run, I doubt a single bit of this thread and who did what to whom would change if there were two. Or twenty.
__________________
Drone. Now with 17% more filling!
  Reply With Quote
Old 15th June 2011, 23:11     #128
^BITES^
 
Quote:
Originally Posted by drone
Bluntly, nothing is secure.
Amen.
__________________
, ______
/l ,[____],
l---⌐¬-0lllllll0-

()_) ()_)--o-)_)
  Reply With Quote
Old 16th June 2011, 00:24     #129
Ab
A mariachi ogre snorkel
 
Quote:
Originally Posted by drone

And given one was badly run, I doubt a single bit of this thread and who did what to whom would change if there were two. Or twenty.
Truth
  Reply With Quote
Old 16th June 2011, 06:54     #130
smudge
Ich Bin Ein Grey Lynner
 
Quote:
Originally Posted by drone
lolwhut.

Are you seriously claiming what makes you secure is different servers?
What I was saying is: the membership donations data was leaked because whoever did the campaign because whoever did the campaign site did it on a virtual host of the same box that did the membership system and they fucked up. The membership data was on another virtual host on that same box. Labour would have cared more about the security of their membership data they they did on security around a flash campaign site which does nothing but provide a bit of information. But the lack of time and money spent of the security of that campaign site made it the weakest link and point of entry for the others.

It was a bad management decision to not treat them as something that had to be kept separate in the first place. For both security and conflict of interest reasons, being that the labour site is supposed to be run by parliamentary services and other sites not.

Last edited by smudge : 16th June 2011 at 06:58.
  Reply With Quote
Old 16th June 2011, 07:48     #131
Lightspeed
 
Quote:
Originally Posted by drone
I merely noted that immediately saying "Hey, we're secure because we've got two servers, ha ha they weren't because they had one" is naive.
It sure is. But no one said that, this is what you extrapolated to, finishing with a nice gloat about how you're all important and hire people and shit.
__________________
Stay shook. No sook.

Last edited by Lightspeed : 16th June 2011 at 07:49.
  Reply With Quote
Old 16th June 2011, 08:04     #132
Golden Teapot
Love, Actuary
 
Quote:
Originally Posted by ^BITES^
Amen.
This and it's precursor is a stupid thing to say. It's like observing that nobody lives forever whilst refusing to acknowledge that there's a mighty big difference between the minimum experienced lifespan and the maximum.

Have a light and a button on the network and internet sides of the connection and stand a trained pigeon in the middle. Connected? Absolutely. Likelihood of getting anything unexpected to flowing in either direction? Pretty slim.
  Reply With Quote
Old 16th June 2011, 08:18     #133
StN
I have detailed files
 
So, did the details exposed include the credit card numbers of those making donations? Because if so, they are probably now in breach of contract with their bank, and may have their merchant status revoked...

That's gotta hurt on the run up to a costly venture.
  Reply With Quote
Old 16th June 2011, 08:22     #134
^BITES^
 
Quote:
Originally Posted by Golden Teapot
This and it's precursor is a stupid thing to say. It's like observing that nobody lives forever whilst refusing to acknowledge that there's a mighty big difference between the minimum experienced lifespan and the maximum.

Have a light and a button on the network and internet sides of the connection and stand a trained pigeon in the middle. Connected? Absolutely. Likelihood of getting anything unexpected to flowing in either direction? Pretty slim.
"Pretty Slim" ... what? Your idea of "Nothing is Secure" seems to differ from what was implied... what you just said isnt 100% secure, you said it yourself "pretty slim", so theres a chance, there always is, that was the point.

What drone was saying is absolutely correct, theres no such thing as "secure" even if its completely air gapped. Because even then a user is in control of the "air gap" and thus theres a flaw, which could be exploited through the (currently) most common form/successful method of hacking, social engineering.

If you think anything else eg "I'm completely secure" you are fooling yourself.

"Security" end of the day is all about mitigation. Mitigate as much as possible and put points on risks (normally where a user or admins need access or communication to/from said device is required) completely secure is a myth. Any high-security oriented person worth their salt would agree and only idiots would say they were 100% secure, (see any of the recent lulz etc events as a prime example).

I'm not really that keen to get into a long term debate about this as (same angle as drone here, many ways to skin a cat etc etc and this probably isnt the place to discuss "IT best practices" and "meaning of 'nothing is secure'") I can't be arsed rinsing and repeating the same shit thats been said before.
__________________
, ______
/l ,[____],
l---⌐¬-0lllllll0-

()_) ()_)--o-)_)

Last edited by ^BITES^ : 16th June 2011 at 08:27.
  Reply With Quote
Old 16th June 2011, 09:16     #135
fixed_truth
 
Quote:
Originally Posted by StN
So, did the details exposed include the credit card numbers of those making donations?
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 16th June 2011, 09:48     #136
spigalau
 
Quote:
Originally Posted by StN
So, did the details exposed include the credit card numbers of those making donations? Because if so, they are probably now in breach of contract with their bank, and may have their merchant status revoked...

That's gotta hurt on the run up to a costly venture.
I don't believe actual credit card details were obtained, it appears the payment transactions were processed by a secure third-party (flo2) and the only data sent back (& stored un-securely) were the payment validation strings - but one does wonder what personal data was also stored within their CiviCRM system - this could lead to cases of Identify Theft me thinks.

Anyone fancy being called Greg Presland ?

Better hope that David Garret didn't grab a copy of that dB.
__________________
Spig.

Last edited by spigalau : 16th June 2011 at 09:51.
  Reply With Quote
Old 16th June 2011, 10:08     #137
Ab
A mariachi ogre snorkel
 
the "oh noes CC details were exposed" thing is a bit of a diversion IMHO. The most damning elements here are:

1. The Labour Party has once again demonstrated its keen ability to fuck up in public at the worst possible time. Hey look everyone, the first significant polling jump for Labour in months--WHOOPS HERE COMES ANOTHER FUCKUP, FORGET THE POLLS LET'S TALK INCOMPETENCE.

2. The Labour Party has shown its donors and members that it can't be trusted to keep their details confidential. That means people will be less likely to donate and join in the future. In an election year, that hurts.

3. A blogger not known for his love of Labour nor for his restraint now has a list of everyone on Labour's database. Every time "concerned mother Jane Smith of Ohakune" comments in an interview that "she is politically neutral but she thinks Anne Tolley is the Antichrist" that list is going to get grepped and we're going to hear that politically-neutral Jane Doe is a Labour Party member and frequent donor, and the story will become a story about Labour trying to influence the media through sock puppets. Fail fail fail.
  Reply With Quote
Old 16th June 2011, 10:16     #138
MrTTTT
 
Lolbour
  Reply With Quote
Old 16th June 2011, 10:26     #139
[WanG] Wandarah
 
Not sure Joe Labour really understands what's happened here, or cares very much.
  Reply With Quote
Old 16th June 2011, 10:32     #140
Lightspeed
 
Very sad

Quote:
Originally Posted by Ab
the "oh noes CC details were exposed" thing is a bit of a diversion IMHO. The most damning elements here are:

1. The Labour Party has once again demonstrated its keen ability to fuck up in public at the worst possible time. Hey look everyone, the first significant polling jump for Labour in months--WHOOPS HERE COMES ANOTHER FUCKUP, FORGET THE POLLS LET'S TALK INCOMPETENCE.

2. The Labour Party has shown its donors and members that it can't be trusted to keep their details confidential. That means people will be less likely to donate and join in the future. In an election year, that hurts.

3. A blogger not known for his love of Labour nor for his restraint now has a list of everyone on Labour's database. Every time "concerned mother Jane Smith of Ohakune" comments in an interview that "she is politically neutral but she thinks Anne Tolley is the Antichrist" that list is going to get grepped and we're going to hear that politically-neutral Jane Doe is a Labour Party member and frequent donor, and the story will become a story about Labour trying to influence the media through sock puppets. Fail fail fail.
Harsh/true.
__________________
Stay shook. No sook.
  Reply With Quote
Old 16th June 2011, 11:26     #141
drone
 
Quote:
Originally Posted by smudge
What I was saying is: the membership donations data was leaked because whoever did the campaign because whoever did the campaign site did it on a virtual host of the same box that did the membership system and they fucked up. The membership data was on another virtual host on that same box. Labour would have cared more about the security of their membership data they they did on security around a flash campaign site which does nothing but provide a bit of information. But the lack of time and money spent of the security of that campaign site made it the weakest link and point of entry for the others.

It was a bad management decision to not treat them as something that had to be kept separate in the first place. For both security and conflict of interest reasons, being that the labour site is supposed to be run by parliamentary services and other sites not.
As I said, if you run one box badly you'll prolly run two boxes badly. From my understanding of the fault it wouldn't have changed the outcome if they had two servers split in the way you're describing. It may have taken longer to uncover the problem, it may have even gone undetected for the life of the system, but there's no indication to me the problem wouldn't have existed based on what the root causes of the problem were.

Again, there's a hugely misguided assumption going on that because good designs have multiple servers that multiple servers is inherently good design. That's just not the case, not in isolation. There are a world of ways you can fuck up a design where number of servers just isn't going to change the outcome.

Many many people think they're secure because they've met some checklist or they've spent a lot of money on "security" (cf, Hell), or because they have never been compromised. It's very naive and the day someone takes an interest in your servers you will find out just how quickly you can find your pants around your ankles.

In this case, I doubt Labour made any significant design decisions about how this was hosted at all (and almost certainly not what the root cause was). They contracted a company to host things for them, and like a lot of non-technical customers expected said company would do a reasonable job.

(I'm ignoring the rest of the non-technical parts of this discussion because honestly it's a mudslinging match I don't think is useful. I suspect if Slater had gotten so much as a 1x1 transparent GIF out of a directory he shouldn't have known about it would have immediately blown up into X hacked Y blah blah blah.)
__________________
Drone. Now with 17% more filling!
  Reply With Quote
Old 16th June 2011, 11:38     #142
StN
I have detailed files
 
Quote:
Originally Posted by spigalau
I don't believe actual credit card details were obtained
Good point, although Slater does mention that the login credentials for the external database where they are stored was visible in plain text, but he didn't go the extra step. So they probably didn't get offside with the bank.
  Reply With Quote
Old 16th June 2011, 12:40     #143
fixed_truth
 
Quote:
Originally Posted by spigalau
Better hope that David Garret didn't grab a copy of that dB.
ahaha

Quote:
Originally Posted by drone
In this case, I doubt Labour made any significant design decisions about how this was hosted at all (and almost certainly not what the root cause was). They contracted a company to host things for them, and like a lot of non-technical customers expected said company would do a reasonable job.
Interesting.
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 16th June 2011, 17:30     #144
Golden Teapot
Love, Actuary
 
[quote=^BITES^]so theres a chance, there always is, that was the point./QUOTE]

Yep - the pigeon might die. But it's not a useful position to take. There is a chance of most things happening. For example, there a chance you'll be dead before you next come to this forum. And, that chance is much greater than some of the chances being talked about here. Yet, do you worry about this or talk about it as a possibility or worse mark someone down for not conceding such a chance is real (despite being irrelevant).
  Reply With Quote
Old 18th June 2011, 00:29     #145
chubby
 
Laugh

Quote:
Nat websites publicly-funded
http://thestandard.org.nz/nat-websites-publicly-funded/
__________________
"Take four red capsules, in ten minutes-take two more. Help is on the way."
  Reply With Quote
Old 18th June 2011, 00:54     #146
CCS
Stunt Pants
 
Is that bad? I mean, those websites mentioned actually state that they are publicly funded, so it's not exactly a secret.
__________________
I just want to understand this, sir. Every time a rug is micturated upon in this fair city, I have to compensate the owner?
  Reply With Quote
Old 18th June 2011, 07:57     #147
xor
 
Wow, some real good detective work right there. Using Whois to get to the bottom of this conspiracy
  Reply With Quote
Old 18th June 2011, 10:14     #148
ZoSo
 
Quote:
Originally Posted by CCS
Is that bad?
Hardly.

This is though.
  Reply With Quote
Old 18th June 2011, 11:06     #149
fixed_truth
 
Linking to whaleoil . . . that's a paddlin

__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 18th June 2011, 11:11     #150
ZoSo
 
True. But it is he who is digging through the Labour lols atm.
  Reply With Quote
Old 18th June 2011, 11:20     #151
chubby
 
Cheesy grin

heh.bugger
__________________
"Take four red capsules, in ten minutes-take two more. Help is on the way."
  Reply With Quote
Old 18th June 2011, 13:29     #152
Ab
A mariachi ogre snorkel
 
Quote:
Originally Posted by ZoSo
This is though.
That is both shocking and totally predictable.

Were this to have happened in Australia Labour would be on the receiving end of a stupendous fine for breach of privacy.
  Reply With Quote
Old 18th June 2011, 18:53     #153
Lightspeed
 
Douchebags.

So why doesn't any MP want to accept these postcards from the NZEI? Do they fucking hate kids, or is it some kind of parliamentary protocol?
__________________
Stay shook. No sook.
  Reply With Quote
Old 18th June 2011, 19:58     #154
fixed_truth
 
I'd be interested to know the privacy statement associated with the post-cards.

This might clarify if NZEI were permitted to forward the postcards to Moroney to present to the Prime Minister and if after the PM refused them Moroney was permitted to use the information.

It looks like Moroney claims the database was used to send a one off response to the signatories letting them know the situation. Ok, then she just forgot to delete the database!?! Not a good look.
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 19th June 2011, 14:36     #155
fixed_truth
 
Quote:
Originally Posted by fixed_truth
I'd be interested to know the privacy statement associated with the post-cards.
No privacy statement.
http://www.nzei.org.nz/site/nzeite/f...e_postcard.pdf

I wonder if this sill means NZEI providing Labour the emails was a privacy breach?
__________________
Protecting your peace is way more important than proving your point. Some people aren't open to cultivating their views. Just let them be wrong.
  Reply With Quote
Old 20th June 2011, 08:33     #156
^BITES^
 
Quote:
Originally Posted by Golden Teapot
<Generic Manager Waffle>
Yep - the pigeon might die. But it's not a useful position to take. There is a chance of most things happening.
<Generic Manager Waffle>
So still trying to talk around the fact that NOTHING is secure, change tact, same shit. You've just said yourself (AGAIN) "There is a chance", being unlikely doesn't make the possibility vanish duuurrrrr ... possibility != Completely secure with no chance of breach, e.g. "Nothing is secure" Christ do you need this in crayon?

Especially in this particular case of a web facing internet service which this was specifically referred to (and you still haven't posted anything worth reading on that point ... you're currently arguing semantics of the statement). I'm not exactly shocked here ... you sound like a manager quoting computerworld like you're best mates with Bill Gates because you upgraded to windows 7 at home this weekend.

You've gone from best practice to "what is most likely" again .. failing the actual point of the statement (and more so understanding what it meant to this particular issue, still haven't posted anything worth reading on that ....). It is a commonly used term for security (similar to "if you can [physically] touch it security is breached), because only fucking idiots believe they can achieve 100% secure environment (especially where user interaction is required!!!). You clearly fit this bill, and like living in that dream world, continue I don't care. A lot of companies lately have enjoyed that kind of stupid biting them in the ass. Quite the show tbh.

As I've said before I don't care to argue the semantics of a commonly used IT security statement/best practice here, more so arguing a statement used by people with a lot higher IQ's and pay rates than myself! Especially with someone that clearly knows fuck all about it ... baselessly arguing semantics.
__________________
, ______
/l ,[____],
l---⌐¬-0lllllll0-

()_) ()_)--o-)_)

Last edited by ^BITES^ : 20th June 2011 at 08:35.
  Reply With Quote
Old 20th June 2011, 19:55     #157
Golden Teapot
Love, Actuary
 
Quote:
Originally Posted by ^BITES^
So still trying to talk around the fact that NOTHING is secure, change tact, same shit.
Turn your eyes on this time and read.

My point was that it is not useful observing that nothing is secure since this requires introducing events that have no practical probability of occurrence.

In every valid context examined by the direction of your argument risk can be mitigated to the extent that it is acceptable at all levels from the individual up through every legal construct ultimately ending in everything contained under the umbrella of mankind.

Most businesses operate at probabilities of insolvency measured in percent. Highly regulated companies (financial services) are almost never required to get down lower than a 0.01% chance of insolvency over the short term. Any part of your argument that involves in aggregate a risk lower than that is irrelevant; theoretically present but utterly uninteresting.

Do you now understand?
  Reply With Quote
Old 20th June 2011, 20:10     #158
DrTiTus
HENCE WHY FOREVER ALONE
 
Snore

Quote:
Originally Posted by Golden Teapot
utterly uninteresting
__________________
Finger rolling rhythm, ride the horse one hand...
  Reply With Quote
Old 20th June 2011, 21:16     #159
Ab
A mariachi ogre snorkel
 
Quote:
Thousands of people who signed an early childhood education petition have had their email addresses added to a Labour Party database, with leader Phil Goff saying it was solely to let people know the outcome of the campaign.
http://www.nbr.co.nz/article/labour-...paign-ck-95615

"D" is for DODGY.
  Reply With Quote
Old 21st June 2011, 07:03     #160
Golden Teapot
Love, Actuary
 
It's easy to act with integrity most of the time because nothing out of the ordinary needs to be done; just ambling along through life will generally speaking let you stay on the right side of the line.

The test comes when something special happens. For example, where you can take advantage of another without them likely finding out. Of course nobody should do this because such an action puts you in the bad-person camp.

Political parties get the integrity test more often than ordinary people simply because they're involved in far more things than ordinary people are i.e. exposure to more events means more events that matter come up. labour seem to make a habit of failing the integrity test. For example, not so long ago we saw them comparing increases in gross wage inflation in a situation when they knew two things: First, that the comparison they were making only made send if done on a net-of-tax basis (and the result on this basis was the opposite of what they were claiming). Second, that most people aren't good at mathematics and thus were likely to be fooled by labour's lie. The intent here was to mislead good honest people into believing a significant bare-faced lie that itself was told purely for electioneering purposes.

Now we see that same integrity test being failed again. Here we have their union buddies exploiting the naivety of a group of people who wanted to express their view on a matter to harvest contact details of people who might be swayed to vote for labour.

On one level labour could win the election. It's normal position is not that different to National. The lefties love them for being a left party. But there in lies the problem - they just keep on telling porkies. Labour is a centre party (most of the time) that seem to be positioning itself as the party that will lie through their teeth every chance they get. This is a bizarre electioneering position to take. The top echelon of that party is obviously going to need to go and they'll spend six years starting again - not that they look in any rush to actually start.

No matter though - the other centre party will keep the keel straight.
  Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump



© Copyright NZGames.com 1996-2023
Site paid for by members (love you guys)