Friday, May 31, 2019

Breaching data privacy for fun and profit


A lot of organisations hold confidential data and have obligations to keep that data secure.  I work for one, and IT security is something I have to take seriously because we provide publicly accessible services on a network that also stores personal information about our staff and customers, confidential administration documents, financial data etc that all must be kept secure from public access.  It's the stuff of nightmares, because the people tasked with maintaining that confidentiality when working with the data are ordinary, fallible humans who make mistakes, while the people who'd like unauthorised access to that data for their own purposes are clever, ingenious, ruthless types who'll find and exploit any mistake they encounter.

It feels like a lot of responsibility to carry (and my share of that responsibility is trivial compared to that of my organisation's IT Security Manager, he must have a whisky habit that would kill a lesser man).

One thing I had, apparently incorrectly, assumed up until now was that at least the nation's politicians are on our side and will take data theft seriously as a matter of the public good. If one of our staff makes a mistake and leaves a security loophole that opens access to confidential data for people who can find the loophole and exploit it, it seemed reasonable to assume that the government would treat as criminals the people who'd exploit that security hole to gain unauthorised access to our data.

It turns out I was wrong. No less a figure than the Leader of Her Majesty's Loyal Opposition and leader of the National Party, Simon Bridges, says that if someone finds such a security loophole in our system and exploits it for unauthorised access to our confidential data, it's "entirely appropriate" for them to do so.  The NZ Police, for their part, don't see anything worth prosecuting in it. This is mind-boggling stuff.

National's supporters, and a range of people who ought to know better, have said that exploiting such security holes for unauthorised access is fine because it's not "hacking." Easy for them to say.  Those of us with responsibility for confidential data have no fucks to give about what's defined as "hacking" and what isn't, there's only authorised access to your data vs unauthorised access to your data, and the people looking for a way to gain unauthorised access to your data are data-thieving scum, whether they meet some arbitrary definition of "hacker" or not.

The activity that Simon Bridges is so proud of falls cleanly into that category of "data-thieving scum."  He's been careful to present it as just having used a publicly-available search engine. As a data custodian of my organisation, I consider that to be a disingenuous excuse from a data thief.

Here's what happened:

  1. The documents were secured on Treasury's web site to prevent public access.
  2. A staff member made a mistake and didn't block the site's search engine from indexing the documents.
  3. Anyone finding those documents via the search engine would find access to the documents blocked, and would know why they were blocked.
  4. However, the security hole caused by the staff member's mistake could be exploited. The search engine displays a brief amount of text either side of the search term it found, so if you bombard the search engine with enough search terms, those brief snippets of text can be collated and a partial view of the secured documents constructed. 
  5. People working for the National Party used the exploit, obtained some of the secure documents' contents, and used them for the party's advantage. 


In other words, National found a security failure, figured out how to exploit it and then exploited it for unauthorised access to confidential data for its own advantage.  That, National, is called data theft and is one of the biggest fears of people with responsibility for the security of their organisation's data. Your claim that it's the victim's fault for not securing their property properly is exactly the kind of claim a thief makes, and the fact that the Police believe our legislation doesn't make such activity illegal is an indictment of our data privacy legislation, not an endorsement of your actions.  You're supposed to be a government in waiting, for fuck's sake.

My message to the current government is: please take data privacy seriously.  Finding and exploiting a staff member's security mistakes to gain unauthorised access to confidential data should be a crime - please make it so.

75 comments:

Noel said...

Like Assange his I'm no different from a journalist and can legally not have to reveal my sources has turned out to be bovine stuff.

Gerald said...

http://www.medialawjournal.co.nz/?p=717

Johno said...

I don't think Milt is ever going to get over Grant's big day being ruined.

pdm said...

`The documents were secured on Treasury's web site to prevent public access.'

Obviously not Milt and therein lies the problem as they were obviously in the public arena.

gravedodger said...

Aw Milt those nasty Nats doing diligent opposing, stumbled on a trove by clicking a search button on a publicly available website being prepared for the publicity splurge and the pokey spilt a jackpot.

Were you as incensed when 'Rawshark' and his gang did their real hacking or is it just another dish of socialist good national bad from a very tired menu badly in need of refreshing.

Robertson had neither the balls nor the integrity to offer a resignation, safe in the knowledge it would never be accepted, says it all really.

Back your bus up and rewrite that steaming pile of male bovine excrement as if it had occurred while English was in the gun.
No thought not.

When the mob you hold in a status close to that enjoyed by Mother Teresa, I will await with enhanced expectation for the leaders of Labour and assorted lapdogs to eschew any similar opportunity that in all probability will come far less legally from a socialist public servant only intent on acting for the greater good.

Pull the other one it plays make NZ Great again set to Scotland The Brave.

Psycho Milt said...

Obviously not Milt...

Obviously yes, pdm. I explained in the post how they managed to steal the data despite the documents not being publicly accessible.

Psycho Milt said...

Aw Milt those nasty Nats doing diligent opposing, stumbled on a trove by clicking a search button on a publicly available website being prepared for the publicity splurge and the pokey spilt a jackpot.

I explained in the post why data theft isn't funny. Only the most truculent die-hard partisan could approve of National doing it.

Were you as incensed when 'Rawshark' and his gang did their real hacking...

Hacking, schmacking. Again, read the post. Still, I'm glad that you can at least recognise that data theft is bad when your preferred party isn't benefiting from it. Try extending that recognition to when your party does benefit from it.

Back your bus up and rewrite that steaming pile of male bovine excrement as if it had occurred while English was in the gun.

I know this is difficult for hard-core partisans to grasp, but data theft is a bad thing regardless of who's doing it to whom.

Robertson had neither the balls nor the integrity to offer a resignation...

Robertson isn't a data thief.

Anonymous said...

The question has to be is the budget a highly politicised document. If the answer is yes then what National has done is acceptable. The government always announces some spending in the budget before budget day so obviously not all is embargoed and highly confidential.

Johno said...

It wasn't theft and the documents were publicly accessible. As acknowledged by the police, Treasury, the Minister of Finance and everyone else apart from Milt.

Milt, please get help. Robbo's managed to get over it. You should too.

alloy said...

If they're searchable then they're effectively published, no amount of dancing on your very battered pin is going to change that.

What you're trying do desperately do is deflect, not from the early publication of material on treasury website, but from the dishonest and slanderous behavior of the Finance minister, Deputy Prime Minister and senior treasury officials.


The breach is not the scandal. (Inept, incompetent and stupid perhaps)

The Opposition's stealing Robertson's' thunder is not a scandal. (Despite your faux outrage.)


The coverup is the scandal, it's the legitimate outrage, it's not mere incompetence, it's the morals (or more precisely the lack) to deliberately slander and lie to Parliament and the nation that's the budgetgate.

All Treasury and Robertson and Peters had to say was "Yeah, we stuffed up, the information is legit, we've fixed the breach now.", that would have taken the wind from National's sails.


In stead they huffed and they puffed and voila, National are up on their foils.


It you can't see that, and you continue to dance on the head of your battered pin then you are plainly you're partaking from the same moral fibre diet as Robertson, that is to say too much sugar and something that goes snap crackle pop.

Psycho Milt said...

It wasn't theft ...

Addressed in the post. Your assertions to the contrary and appeals to authority count for nothing - if you have a valid counter-argument to the post, present it.

Psycho Milt said...

If they're searchable then they're effectively published...

Addressed in the post. If you have a counter-argument, present it.

Anonymous said...

Milt, thank you for this post. I happened to be visiting my parents house the evening of this breaking in the news. They are Labour/Green supporters, I most definitely am not.

The asked me what I thought. I told them I thought Simon Bridges is a 'dickhead' based on this and his previous behaviour. I also told them that I thought that this was school yard stuff that he should have more sense than to indulge in it.

Just a datapoint for you from some one who doesn't particularly support Labour, but likes what they are trying to do to support people at the margins of society - the mentally ill, homeless, addicted etc.

alloy said...

"Addressed in the post. If you have a counter-argument, present it."


You don't have an argument to begin with.


You're like a crying child who's dropped his own lolly and is blaming his siblings for having a stronger grip.


My four year old has a better sense of accountability.



The Veteran said...

Bunkim Milt and stop feeling sorry for yourself ... budget sensitive crap ... so it's ok for the gummit to drip feed 'lollies' from the budget prior to the big day bur it's bordering on criminal (your words) for National to exploit a f****p by Treasury to rain on the CoL's parade.

And don't you think common courtesy might have dictated that Robertson should have at least given Ms Freeman a 'heads up' that he was going to feature her photograph on the cover of the budget document ... had he done that he would have avoided the embarrassment of finding out she was fleeing NZL in search of wellbeing (now found) in Oz. Sorry, I forgot, arrogant socialists don't do common courtesy.

And Noel ... you've lost it with your 7.11 post. Not only did Bridges reveal how National got the 'papers' he demonstrated it to a believing band of journos. Just how that relates to Assange has got me beat.

Johno said...

"It wasn't theft ...

Addressed in the post. Your assertions to the contrary and appeals to authority count for nothing - if you have a valid counter-argument to the post, present it."

Your post is the one with appeal to authority, Milt: "A lot of organisations hold confidential data and have obligations to keep that data secure. I work for one, and IT security is something I have to take seriously because ..."

Only your authority is lacking. You refer to your own post as some sort of authority but your entire post is just your own severely lacking *opinion*.

Not only that, your post contains clear and obvious errors.

The data was not secured. It was unencrypted and open. You appear to have *no* idea what "secured" means. Let me help you. Secured means on a server not accessible to the public internet. Secured means accessible only by entering authentication credentials. Secured means encrypted. Choose at least one!

Blocking your indexing engine from indexing something to make it even easier to find does not secure it - FFS!

And overarching all this is nonsense is this: Where is the harm in revealing the stumbled-upon freely available information? Let me tell you: it is manifestly embarrassing to the government. That's it. No economic damage. No personal harm to 3rd parties. It's not up to the opposition to ensure that delicate petals on the left avoid embarrassment for their stupidity. Very much the opposite. So dry your eyes, princess, learn and move on.

Please stop embarrassing yourself and diminishing this great blog.

Gerald said...

I don't believe that Bridges rained on the Col parade. A lot of National sock puppets are claiming it but as said by Anon "I thought Simon Bridges is a 'dickhead' based on this and his previous behaviour" has some resonance among non partisan voters .

Afterall the paucity of information he had obtained wasn't really a dent in the total Budget.

His claims that he didn't have to quote sources because he was no different to a journalist was difficult to fathom given his prior work in the courts. And the fact that it was offered quickly to the Police says all.

Also Veteran had been quick to go to legal sources on Mallards comments I can only assume that this action must have gone before the parties legal beagles before he made his grand announcements.

So what is it really about?
I'm guessing at the next lot of polls Mr S. Bridges preferred PM numbers aint going to go up and the National poll may go further down.

Simons been the PM long enough now to get his extra 62k, taxis and aeroplane rides.



The Veteran said...

Gerald ... old saying ... when you make an assumption you're making an ass of you and me ... and boy, are you making an ass of yourself.

We'll discuss the next opinion poll when it comes out shall we ... on the numbers I've seen I'm looking forward to it.

Nice of you in your last para to refer to SB as the PM. On what we saw in the House yesterday he certainly came across as prime ministerial in contrast to the screeching and somewhat hysterical rant by his opposite number.

Psycho Milt said...

Anonymous at 9:27 - thanks for your comment. I'm glad to see at least some people get why this is serious.

Psycho Milt said...

alloy: in my experience, people who resort to giving me personality assessments do so because have no substantive response to the post.

Psycho Milt said...

Johno:

You refer to your own post as some sort of authority...

I refer to my post as the argument I'm making. Since you appear to be having trouble following it, here are the relevant quotes from it:

If one of our staff makes a mistake and leaves a security loophole that opens access to confidential data for people who can find the loophole and exploit it, it seemed reasonable to assume that the government would treat as criminals the people who'd exploit that security hole to gain unauthorised access to our data.

And:

Those of us with responsibility for confidential data have no fucks to give about what's defined as "hacking" and what isn't, there's only authorised access to your data vs unauthorised access to your data...

The argument can be summed up as follows:

Premise 1: the data was clearly intended to be confidential and was known to be confidential by the people involved.

Premise 2: those people identified a security failure caused by human error and exploited that failure to obtain the confidential data.

Conclusion: that is data theft.

Your counter-argument appears to be that, due to the human error, the data was not secured.

That is not actually a counter-argument. The fact that human error caused the data to be accessible is right there in my premise 1.

You have a second argument that this is not data theft because there was little harm done, other than political harm to the government. However, that also isn't a counter-argument - it's the kind of thing a lawyer would raise as a mitigating factor in sentencing, if this theft were treated as such by the law, rather than a defence against the charge of data theft.

Psycho Milt said...

Veteran:

... so it's ok for the gummit to drip feed 'lollies' from the budget prior to the big day bur it's bordering on criminal (your words) for National to exploit a f****p by Treasury to rain on the CoL's parade.

Yes, exactly. The owners of the data can release whatever of it they feel like, whenever they feel like. Their right to do so doesn't imply any right for external parties to steal the data and release it.

And yes, I believe that data theft should be criminalised and have been stunned to find that National and its supporters actually support and engage in it. To "exploit a f****p by Treasury" to gain access to confidential data and use it for your own purposes is the very definition of data theft.

And don't you think common courtesy might have dictated that Robertson should have at least given Ms Freeman a 'heads up' that he was going to feature her photograph on the cover of the budget document ...

I wrote a serious post here. I'm not interested in trivia about what stock photo was used on the cover of the budget document.

alloy said...

@ Psycho Milt

You had nothing substantive to post in the first place.

Using Treasury's search function to search treasury's website is not hack.

Perhaps there was no intent to publish, but when treasury's own search engine returns the information it is published.

Welcome to the information age (you're a bit late).

Typically you attack the messengers when this is repeatedly pointed out to you.

I suppose that's better that addressing the governments coverup and slanderous behaviour.

Johno said...

Milt, your premise 1 is irrelevant. The law as it applies to me disregards what other people's intentions are. My intentions would be relevant along with their *actions*.

You may dance on that battered pin (thanks to whoever came up with that) but the fact remains that your "understanding" of the law is at odds with the police and even Treasury themselves who have accepted that it wasn't theft and there was no illegal activity. It's truly bizarre that you continue to see your legal expertise as superior than that of them and their high paid advisors.

By continuing to call it theft you are probably committing slander.

Finally you are misrepresenting or misunderstanding my argument. Whether it was accidental or intended release is irrelevant, the fact is the data was publicly open.

Further, that there was no harm was not offered by me as an explanation of legality. Again you are misrepresenting me and it's starting to get tiresome. The reason I said that is that some lefties are bleating about National's ethics (because they have at least given up on the illegality claim). It would have been unethical for the Nats to release the information if it caused harm (such as Wikileaks caused harm by carelessly dumping secrets).

So a double fail for you Milt. Keep going though, this is fun!


The Veteran said...

Milt ... I never thought of your post as overly serious ... rather an attempt to smear in a failed attempt to divert attention from a failed budget.

Psycho Milt said...

alloy: looks like you didn't actually read the post, come back when you have.

Psycho Milt said...

Johno: looks like you didn't read the post either. It argues that this form of data theft should be illegal, not that it is currently illegal, nor that I'm some kind of legal expert.

As to whether it actually was legal or not, I'll take the word of actual lawyers over yours any day of the week, and several have come forward to say they believe this data theft was illegal under current law. So, the most you can say is that there are conflicting legal opinions on the subject.

Psycho Milt said...

Veteran:

Pointing out that data-thieving makes you a data thief isn't a "smear," it's a "statement of fact."

Anonymous said...

where were you over the 9 years of the previous Govt when they Labour had a number of leaks?
Your kind only see things one way which is surprising as a life time of anger and failure aren't aspirational those of us who make up the majority.

EH of D

Psycho Milt said...

Forgot this bit:

Whether it was accidental or intended release is irrelevant, the fact is the data was publicly open.

Au contraire. There are two things:

1. We shouldn't enshrine in law the right to take someone's property if they accidentally fail to properly secure it.

2. According to the legislation, it very much matters whether the person gaining the unauthorised access to the data knows it's unauthorised. The thieves in this case were well aware that their access was unauthorised.

Psycho Milt said...

where were you over the 9 years of the previous Govt when they Labour had a number of leaks?

I'm not aware of any data theft carried out by the Labour Party during the previous government. If you can point to an example, I'd be happy to update my post, because it would be further support for the post's argument: data theft should be illegal.

Johno said...

Milt, "Johno: looks like you didn't read the post either. It argues that this form of data theft should be illegal, not that it is currently illegal, nor that I'm some kind of legal expert."

You repeatedly use the word "theft" but are increasingly confused about legality. Theft is illegal, end of story. You can't call it theft, then waffle about whether it is illegal or not.

We have established it was not illegal. Therefore it is legal, therefore it is not theft. Logic is and always is the basis of law because logic is the basis of proof.

You are wrong.


Johno said...

Milt: "According to the legislation, it very much matters whether the person gaining the unauthorised access to the data knows it's unauthorised. The thieves in this case were well aware that their access was unauthorised."

What legislation, specifically, would this be? Define unauthorised, with respect to being on a public accessible server? Was there any statement on the website declaring anything on it was secret or private? Was there any point at which some form of authorisation was bypassed?

No? Then it can't be called unauthorised.

gravedodger said...

"We shouldn't enshrine in law the right to take someone's property if they accidentally fail to properly secure it."
Please relate that statement to the common response by many Insurance companies in rejecting claims due to poor or non existent security.
No forced entry then no burglary and claim denied
IMHO if someone enters any property secure or not commits a forced entry but sadly the courts all too often require a valid Trespass notice actually delivered, a sign no entry does not cut it. Or other evidence the intruder should have known any doubt and dont bother.

I really do believe simply clicking on a prompt of a website would be a very difficult link in a chain of evidence should such testimony be actually delivered in a court hearing a theft charge.

AS far as any suggestions National transgressed even a moral position releasing such ho hum data is simply laughable when one recalls the countless occasions when Annette King made hay against Ryall and then Coleman using grubby info from obvious links created when she was Min Health under Helen Clark, then there might be some very dodgy information that would have had her then squeeze in the frame in any investigations.

Psycho Milt said...

You repeatedly use the word "theft" but are increasingly confused about legality. Theft is illegal, end of story.

Theft is illegal to the extent that legislation defines particular types of theft as illegal. If current legislation fails to define a particular type of theft as illegal, the legislation should be amended. That is the subject of my post, should you bother to read it at some point.

We have established it was not illegal.

We have not established that. We've established that the Police declined to prosecute, which is not the same thing. The Police don't get to decide what's legal or illegal, that's the courts' job. And lawyers differ on the legality of this incident, so it's not established at all.

Psycho Milt said...

What legislation, specifically, would this be?

Crimes Act 1961, part 10, section 252. There's a handy discussion of it here: https://techblog.nz/1830-Section-252.

As with the legality question, it's arguable whether this section of the Crimes Act applies or not. My argument is that if it doesn't, the legislation should be amended so that it does.

As to how the thieves knew their access was unauthorised, for fuck's sake read the damn post.

Psycho Milt said...

Please relate that statement to the common response by many Insurance companies in rejecting claims due to poor or non existent security.

Why? My post isn't about whether Treasury is entitled to an insurance payout or not.

I really do believe simply clicking on a prompt of a website would be a very difficult link in a chain of evidence should such testimony be actually delivered in a court hearing a theft charge.

Could well be, but that should be tested in the courts via a prosecution. I personally would very much look forward to seeing Nat staffers attempting to persuade the court that they really had no idea their access to budget documents was unauthorised and that their bombarding the search engine to get snippets of info and collate them did not seem to them to be an unusual way of accessing a document.

Tom Hunter said...

I'd be more impressed by these arguments from Psycho if it wasn't for this blast from the past:

Psycho Milt

[@Psycho]...Isn’t the most dirty trick exposed in Nicky Hager’s book, the revelation that Hager reveals that he received six years of stolen e-mails, hacked from Cameron Slater’s Gmail and Facebook accounts?

Ha ha – yeah, those dirty tricksters Woodward and Bernstein were so much worse than the people they exposed, right?

Thumb up 0 Thumb down 9 REPLY REPORT AUGUST 14, 2014 9:58AM


I'm not seeing a lot of serious, chin-pulling concern about "data theft" from you there Psycho! Let alone any emotive language concerning "data-thieving scum".

In fact it comes across as end-justifies-means, which, funnily enough, is rather like the National Party arguments in this case.

And of course in 2014, Slater was the target so "meh".

Except that also sounds a lot like National now with regard to their target - the government, and Robertson in particular.

And after all that I did think that these rules about stealing people's confidential data were the ones we were all now playing under in Hager's world. Or is it more like this example?:

Calvinball
The only consistent rules of the game are that Calvinball may never be played with the same rules twice[64] and that each participant must wear a mask

Maybe Bridges can try that last one in Parliament!

Johno said...

Milt, did you read the act and comprehend subsection 2? Brislen explains this; If you access the system legitimately then stumble into something secret, subsection 2 specifically makes this legal. As Brislen says, "So if you've got permission to use the system and then use it for something other than the purpose you were given access for, you're not hacking."

Clearly the public has permission to access the system.

End. Of. Story. Thanks for proving us all right and yourself wrong.


Psycho Milt said...

1. I don't recall rawshark presenting him/herself as a contender for government of the country.
2. I don't recall rawshark claiming that their data theft was "entirely appropriate."
3. I don't recall the Police finding that nothing unlawful had taken place. On the contrary, they stitched up a dodgy search warrant to let them go and ransack Hager's house. Nothing like that has yet happened to Simon Bridges.
4. If Rawshark had been caught, they would have been facing a prison sentence, unlike Simon Bridges, who gets to boast about his data theft to the nation's journos, entirely free of consequences. If rawshark had been caught I'd have been quite happy to see them go down for their crimes.
5. Unlike Simon Bridges, Nicky Hager had a legitimate claim to journalistic privilege in having used the illegally-obtained data for the public good - which was the point of my comment at the time.
6. My organisation, like Treasury, is unlikely to store data that it would be a public good to reveal. I didn't mention that in my post above because it should be a well, duh. The same could not be said for the stolen data Nicky Hager published, relating to the dirty politics operation being run from John Key's office.
7. Thank you for making the connection between what Simon Bridges has done and what rawshark did. All we need now is a police force willing to make the same connection.

Psycho Milt said...

Johno: that's your assertion, yes. I'd prefer to see it tested in court.

Also (and again, for fuck's sake read the damn post), the entire point of my post is that if current legislation permits this form of theft, the legislation needs changing.

Johno said...

I've read your post (it's all but worthless) and you keep calling this theft despite it clearly not being theft. I don't really give a fuck about what you think is a point to your post. You keep calling this theft when it. is. not.

You really haven't a leg to stand on and if the legislation was changed then people like your pal Hager would end up in jail. Is that really what you want, or do you think this law should only apply to the right?

Psycho Milt said...

If you aren't interested in the point of my post, try not commenting on it.

... if the legislation was changed then people like your pal Hager would end up in jail.

1. Hager is not a data thief.
2. I haven't at any point suggested doing away with journalist privilege.

The Veteran said...

Milt ... haven't you learned ... explaining is losing and your explanations are nothing more than dissembling the truth to try and make good what in real truth has been a terrible week for the gummit.

Still, I'll give you this ... the best week in opposition is never as good as the worst week in government so I suggest (in all humility) that you quit when you're behind.

RosscoWlg said...

Nice try Milt, Yawn. You lose we win, been like that all week hasn't it, one disaster after another.

I saw how long this post was and thought it was a Tom Hunter book review....read like one too.

Better to have slunk off and fumed in silence I would have thought... but I guess it was better written than one by Snowflake ...... oh perhaps that's why they commissioned you to write it!

Psycho Milt said...

Also in my experience, people who feel they have to announce that they've won and you've lost are addressing themselves ahead of anyone else.

RosscoWlg said...

Oh just taking a leaf out of the Cullen book so I guess you are right with your comment then......and he certainly turned out a loser.

Trying to explain or complain as in your case is bad sportsmanship... just say to your self meh..we did it with Hager and use one of mottos in life, what comes around goes around.

Slink off and count trees, oops that wont take long, slink off and count houses... oh shit that will even take less time... oh better still piss off and count rail subsidies.

Psycho Milt said...

I'm aware that your comments are a kind of stream-of-consciousness wittering barely distinguishable from a drunk pissing down his own leg, but this was a serious post making a serious argument and I'm not inclined to indulge your keyboard incontinence on my thread. Feel free to respond to the argument in the post - otherwise, don't bother commenting. Seriously.

alloy said...

https://www.stuff.co.nz/business/industries/113161208/gcsbs-cyber-security-centre-told-treasury-its-computer-network-was-not-compromised

Not compromised, not hacked.

How sad for Milt. How many times does reality have to hit him in the face?

Someone stuffed up. If the left can't be honest to themselves, how can we expect them to be honest to us?

Now get off your pin and address Robertson's and Peter's slander and misleading of Parliament and the country.

Lord Egbut Nobacon said...

Hypothetical situation........in 1985 a Govt' staffer carrying a copy of the soon to be announced budget meets a friend in the PUBLIC reception area of the beehive.

They have chat and after the parting the staffer wanders off leaving the budget copy on a coffee table. A few minutes later somebody picks it up realises what it is and that it is a CONFIDENTIAL document, stuffs it under his jacket and hotfoots around to the leader of the opposition.

Two things would have happened then.. The moral attitude of the time would ensure that the leader of the opposition would not have used it.......and the culprit would have been prosecuted for theft and probably a couple of other charges as well.

What he hell s so hard to to understand about this scene or Milt's post.

Psycho Milt said...

alloy: you're really determined to keep posting stuff that was already dealt with in the post, for some reason. Obviously, you actually reading the thing isn't going to happen, so I'll quote the relevant parts for you.

You wrote: Not compromised, not hacked.

In my post: National's supporters, and a range of people who ought to know better, have said that exploiting such security holes for unauthorised access is fine because it's not "hacking." Easy for them to say. Those of us with responsibility for confidential data have no fucks to give about what's defined as "hacking" and what isn't, there's only authorised access to your data vs unauthorised access to your data, and the people looking for a way to gain unauthorised access to your data are data-thieving scum, whether they meet some arbitrary definition of "hacker" or not.

You wrote: Someone stuffed up.

In my post: A staff member made a mistake and didn't block the site's search engine from indexing the documents. Anyone finding those documents via the search engine would find access to the documents blocked, and would know why they were blocked. However, the security hole caused by the staff member's mistake could be exploited.

A staff member making a mistake that opens up unauthorised access to the data doesn't entitle people to find that mistake and exploit it to access the data. They remain data thieves.

Now get off your pin and address Robertson's and Peter's slander and misleading of Parliament and the country.

Sure. I think Robertson's been overly-kind to National over this. Peters has been more accurate in his characterisation of them.

The Veteran said...

Milt ... This sez it all ... https://i.stuff.co.nz/national/politics/opinion/113144646/smartest-men-in-the-room-pffft-treasury-stands-alone-on-budget-bungle

The Veteran said...

And this ... https://i.stuff.co.nz/national/politics/opinion/113162869/nightmare-on-molesworth-st-how-labours-annus-horribilis-went-viral

Johno said...

And abroad:
https://www.bbc.co.uk/news/world-asia-48455579

Seems like there's only one person left on the entire internet that thinks the budget was stolen.

alloy said...

Milt, the credibility gap widens with every post.

The issue is not the mistake, mistakes are forgivable.

The issue is the the cover up, the lies, the slander, of which you are complicit and which you are failing to address.

Psycho Milt said...

Veteran: Duncan Garner and Stacey Kirk's ignorance-based reckons are worth every dollar Stuff charges to read them. I'm not interested in what hack opinion writers have to say about this, I'm interested in what data privacy professionals and lawyers have to say about it.

Alloy: whatever fantasy world you're off in, I'm not joining you there.

Gerald said...

https://www.stuff.co.nz/business/industries/113111605/nationals-budget-leaks-go-against-security-agencys-advice-and-treasury-breach-was-unlawful-lawyers-say

From Stuff too

Psycho Milt said...

Gerald: the comments under that story are also pretty good, they demonstrate that most people do actually understand why data theft is wrong. I particularly like this comment, which sums it up nicely:

Bridges claims that the story that the Nationals "hacked" the site is a lie. He goes on to explain that they exploited a vulnerability in the site. Dude, that's what hacking is.

Johno said...

Lawyer/activist to Nicky Hagar. Perhaps they could give someone a little less "aligned"...

Psycho Milt said...

Yes, it would be nice if the Police had decided to prosecute, so that this could be properly tested in court rather than left as a matter of opinion.

However, that's unlikely to happen now. Those of us with accountability for data security will just have to bear in mind that National governments believe any mistake by one of our staff strips us of any recourse against data theft.

RosscoWlg said...

Still dancing on the head of a pin Miltie, a pin that nobody really cares about! I meant the Trasury probably spends millions on IT consultants.

A web site, which is considered in the public domain, is usually firewalled from the rest of your IT system. If someone has hacked your system they have come through your firewall by various methods.

This web site, like most web sites, is the public face of your company or organisation, it is exposed to the real world. If your security is not good enough... tough shit. I suspect some junior fresh out of Media Studies made a mistake

With the Hager affair the information was taken from inside the organisations firewalled system.. totally different kettle of system.

Meh you still lose, cant see anyone else out there in blog land taking your stance.... move onto defending Trevor... ah shit he's a loser too!!!

Anonymous said...

Sorry PM can’t agree with you on a law to criminalise people taking data through the sites own search engine.

Your real life analogy is not quite correct. Yes if you leave your front door open and someone comes in and takes your stuff that is theft. But that’s not what happened here. If you leave your stuff just laying around with a “free to a good home” sign on it, there is no way that should ever be called theft, either in the real world or the cyber world.

The potential unintended consequences from such an authoritarian law would be horrendous.

Paranormal

Johno said...

Rest assured Milt would not be bleating if this had happened to a Bill English budget.

Quite the opposite. Milt would having been singing the praises of the brave activist warriors that obtained the info and the courageous opposition that revealed it.

Coz it's different when the left do it.

Psycho Milt said...

Paranormal: the Treasury data was not "just laying around." National had to find the security hole a staff member's mistake had made, then figure out how to exploit it, then put time and effort into using the exploit to extract brief snippets of confidential data, then collate the snippets to partially reconstruct the documents. That's data theft, also known as hacking. Most of what gets called "hacking" is exactly what I just described: someone makes a mistake, confidential data is exposed to the public, someone with an interest in unauthorised access to that data finds the mistake and downloads the data. In theory, our laws are supposed to make that unauthorised access illegal, but events of the last week suggest it isn't - hence my post.

Anonymous said...

Sorry PM any member of the law abiding public could have found what you call a 'security hole'. It wasn't a 'hole', it was a blatant cock up by the staff member loading the documents onto the site.

Allowing the documents to be searchable by the sites own search engine is on fact akin to putting a sign on it saying free to a good home.

Ultimately Veteran is on the money with today's post about this whole sorry saga. I think Bridges is a guy that could fall into a river of perfume and come out smelling of shit.

Paranormal

Psycho Milt said...

RosscoWlg: well, I guess that does constitute an attempt to address the arguments of the post.

...a pin that nobody really cares about!

You're saying "nobody" there when you mean "no RosscoWlg." In reality, a lot of people actually care quite a lot about data security and data privacy.

If your security is not good enough... tough shit.

Well, that's an interesting personal opinion, but it's not what our legislation says and I doubt Simon Bridges would phrase his attitude to data security quite so bluntly, for all that he apparently shares your opinion.

With the Hager affair the information was taken from inside the organisations firewalled system.. totally different kettle of system.

Jesus wept. Perhaps best not comment on things you know nothing about.

Meh you still lose, cant see anyone else out there in blog land taking your stance...

It says a lot about you that you think the ethics of data security is a popularity contest.

Psycho Milt said...

Sorry PM any member of the law abiding public could have found what you call a 'security hole'. It wasn't a 'hole', it was a blatant cock up by the staff member loading the documents onto the site.

That's one of the things a security hole is! You guys seem to have a very romanticised notion of what "hacking" consists of.

And the whole point of data theft is that "any member of the law abiding public" could, but doesn't, find these security holes and help themselves to the data, because they aren't looking for unauthorised access to confidential data. Data thieves are looking though, and in this case the data thieves found what they were looking for.

Psycho Milt said...

Rest assured Milt would not be bleating if this had happened to a Bill English budget.

You still have no idea what the post is actually about, do you?

Noel said...

"National had to find the security hole a staff member's mistake had made, then figure out how to exploit it, then put time and effort into using the exploit to extract brief snippets of confidential data, then collate the snippets to partially reconstruct the documents"

Bridges says his nanny could have done it.


https://www.tvnz.co.nz/one-news/new-zealand/simon-bridges-plays-video-showing-budget-information-accessed

Psycho Milt said...

I expect she could have, but then I also expect his nanny doesn't put a lot of time into probing web sites for security errors. Also, the level of skill that was required for the data theft is irrelevant.

RosscoWlg said...

Miltie.. give it away mate, as they say there is nothing to see here, you pin head has been eroded away to a couple of molecules held together by Labour Party snot.

The Treasury Servers are behind a firewall... were they hacked.... No.

The public face of Treasury sits on a Web Page open to the public... just like this one... you happen to sign off with your real name on this Blog.... tough shit!

Its simple logic, even a simple Labour Party hack like yourself should be able to follow that logic.

Ive been searching the civil law sites for your case against Hager after all your sense of outrage is palpable to all and sundry... cant seem to spot it.

I guess you are busy with your convoluted outrage building a case in the support of that poor bastard outed by the Mallard as the Parliamentary rapist.... ah thought not!

RosscoWlg said...

But thanks Miltie, being a simple miner down here in Nightcaps, and with the shit weather, the choice was to read this blog all day or tap the wifes shoulder, its been a great pleasure reading this extended blog, it must have had the longest conversation in No Minister.

A lot of smarter people than me have put you to bed but you just keep popping up like the bad small around a Labour Party youth evening.

Im sure you'll want to have the last word.. so I'm popping next door to take the piss out of the local primary school teacher, what with strikes, and taking a Teachers only day on Friday, and a strike next week they haven't done any real work for about 6 days.... typical of them though!

Psycho Milt said...

You're sure I'll want to have the last word, on my own blog? No fucken shit, Sherlock? I hope you know more about mining than you do about data security, for your colleagues' sake.

Lord Egbut Nobacon said...

I'm about 70 posts to late but never mind. The question that puzzles me is WHY did National go to so much trouble to release something that was due to be released in a few days anyway?

What possible political advantage could be gained?

At the moment it just looks like childish ya boo sucks we are cleverer than you.

Willing to be educated though feel free to give logical answers.....

Psycho Milt said...

I think it's a consequence of seeing politics as a kind of sports match, ie the aim is to score more points than your opponents. When people thinking that way are presented with an opportunity to embarrass the government, they're not going to devote much thought to the ethics of data theft or what the implications are for every other organisation's ability to protect its data from hackers. I personally would not want such people put in charge of running the country, but based on this thread there are plenty who would.