DPF has Cameron Slater’s video describing how Labour’s confidential donor information was accessed. Briefly:
- Labour hosts a number of different web sites on its web server. If you type: labour.org.nz into your url it takes you to their main site, but if you type in: lets-not.co.nz it takes you to their asset sales campaign site. It looks different, but both sites are hosted on the same computer.
- Labour registered another site called healthyhomeshealthykiwis.org.nz, also hosted on this server. But when you visited this address you didn’t see a normal web page – you saw a directory listing of the Labour Party web server. This let you browse Labour’s server and read any file you wanted, just as you can with your own computer.
- This is considered so undesirable and such an egregious breach of security that the web server software Labour uses (Apache) disables directory listing by default. You have to go into a configuration file and switch it on manually. So I guess that’s what they did.
- It gets worse. All organisations back up their sensitive data – usually onto a backup server and/or tapes, which are then kept in a highly secure location. Confidential data like, say, financial records are always encrypted and password protected. But someone in the Labour Party decided to back up their donor database onto their web server – the only server in their organisation accessible to the general public, so by definition the last place you’d put any backup files.
- So all you had to do was enter healthyhomeshealthykiwis.org.nz, click on a few directories and you could download Labour’s unencrypted donor database.
In the absence of any interesting information (as yet) released from these files, the story here is about Labour’s inability to protect the confidential information of its donors. Like the Darren Hughes fiasco, this is yet another sign that Labour is not a healthy organisation. It’s a party of perpetual incompetence that’s in deep denial about this obvious fact – to them they’re always the innocent victims of endless right-wing media conspiracies. A party that cannot run itself should not be allowed anywhere near the machinery of government.
This is how Labour seeks assistance in running Party-critical IT infrastructure:
Comment by SHG — June 13, 2011 @ 10:27 pm
Server said it was apache as the web server but phusion passenger was running as well (and also PHP). This means that the server was running Ruby on Rails which almost guarantees that the site was made by a welly agency which means that someone’s going to get their ass handed to them. There’s no way they do this shit in house. As much as it’s a fun narrative that labour fucked up, if they were even allowed by their web agency to manage their own servers then that’s ridiculous.
They’ve been fucked by a contractor, I’d put money on it.
Comment by Chris Bull — June 13, 2011 @ 10:47 pm
I’m bummed it’s a contractor ‘cos that allows Labour to viciously complain about the Employment Contracts Act and how contractors are fucking this country over. Literally. It would have been much more fun for it to have been an employee and watch Labour try to dismiss him/her.
Comment by Nick K — June 13, 2011 @ 10:53 pm
I suspect their web development is done on a volunteer basis.
Comment by danylmc — June 13, 2011 @ 10:54 pm
I saw Drupal listed on one of the directories, so it’s possible someone’s set the server up for them and then turned the MPs and their staff loose
Comment by danylmc — June 13, 2011 @ 10:55 pm
Even if it was a contractor – it was someone in Labour who decided it was a good idea to put CRM backups and internal communications on that server.
Comment by Dylan Reeve — June 13, 2011 @ 10:56 pm
Either way, when I build CMS sites for clients I don’t expect them to do anything more than use the CMS web interface. I expect other devs to do the same.
Comment by Chris Bull — June 13, 2011 @ 11:06 pm
I think Danyl’s comment re competency sums the whole fiasco up neatly.
Got forbid members of the LP apparatus start running with scissors.
Shambles.
Comment by Gregor W — June 13, 2011 @ 11:21 pm
come on, Let’s Not was clearly amateur so why wouldn’t their web site be as well
Comment by abel the amish — June 13, 2011 @ 11:22 pm
The ‘Let’s not’ idea was sloppy & derivative, but the billboard they ended up with was a good one.
L
Comment by Lew — June 13, 2011 @ 11:27 pm
Considering that labour is all the the things that you say they are, why do you bother discussing them?
Is it because you enjoy kicking helpless puppies, or wallowing in masochism?
,
I am sure you can (as a science teacher) find more useful and satisfying things to do than gratifying the national party.
Time you formed your own party,methinks.
That should please both National and Labour..
Comment by peterlepaysan — June 13, 2011 @ 11:29 pm
Comment #1 is pure fried gold. That will be exactly how this happened.
Comment by Dave — June 13, 2011 @ 11:51 pm
I understand that it was a contractor who did the work setting those pages. Of course, I don’t know whether subsequent labour incompetence triggered the problem.
“In the absence of any interesting information (as yet) released from these files”. Well, spotting public servant donations to the party will be interesting, but I doubt that there will be many. Despite being really interested in the political process, most Wellington bureaucrats don’t get involved or donate.
Comment by DT — June 14, 2011 @ 12:19 am
On the one hand, Labour effectively left their keys in the car at the forecourt. On the other hand, the involvement of panty-sniffers like Oily will potentially cancel it out.
Comment by DeepRed — June 14, 2011 @ 12:21 am
Problem is: if not Labour, then it will be National. And they are the last thing we need at the moment.
Actually the last thing would be Don Brash, but you know what I mean.
Comment by rainman — June 14, 2011 @ 12:21 am
Why do you link to DPF’s reproduction of Slater, than Slater directly? Is it an ethical thing: “I won’t even visit that website, let alone direct people to it!”, or is it just that you happened to see it on DPF and linked to where you saw it? Just curious is all.
Comment by DT — June 14, 2011 @ 12:26 am
‘”Yes, Your Honour, she was askin’ for it….’ Crap = “The story here is about Labour’s inability to protect the confidential information of its donors.” A dirty little fingerman got in the act.
Comment by Galeandra — June 14, 2011 @ 12:26 am
Google still has most of the directory tree indexed if you want to browse through it.
Comment by SHG — June 14, 2011 @ 1:05 am
“Google still has most of the directory tree indexed if you want to browse through it.”
Not that interested to be honest. Watergate 2011 this isn’t – I think the cetacean might have harpooned himself!
Comment by gullysn0w — June 14, 2011 @ 4:38 am
O.K Labour isn’t a particularly rich party, fuck what a surprise that millionaire bmw dealers don’t vomit money there way on a pathethic notion that silverspooners being richer through bmw sales will help the nation. National fucked up something as basic as their gst on spending last election, yet they run our economy now.
Wake up Danyl, this isn’t incompetence, it’s poverty of labour supporters and your nastyness to the left is only hurting the left, enjoy the destruction of the last planks of the last decent parts of the welfare system.
Have you been to a winz office in 2010,- 2011 maybe your humour would dry up when you see the fucking disgusting way they treat the poor. Labour never turned winz into a police station. So you love the labour bitch but all it means is the morons are returned. Get real man, fight for poverty, fight for an unemployment rate that has lingered on for decades putting thousands of citizens into nothing lives.
Comment by John — June 14, 2011 @ 8:22 am
How do you get competence near the machinery of government?
Get a competent party list designed to be able to run a country rather than run around in party circles?
Would a list be better if it was like a board of directors, the best people available to manage the country, and to manage the party? That doesn’t mean just business management, social management is as important.
What sort of people would be best for a party list?
Comment by Pete George — June 14, 2011 @ 8:23 am
National fucked up something as basic as their gst on spending last election, yet they run our economy now.
Not at the last election in 2008, but at the election before that in 2005.
Comment by Graeme Edgeler — June 14, 2011 @ 8:42 am
I should clarify what my real aim is here.
I’m saying Lets!
My personal ambitions are at electorate level, I can make a difference in Dunedin, one way or another.
New Zealand needs a viable credible alternative to the train wreck that our political scene seems to have become. I think we have to look outside traditional politics for people with the competence and reliability to keep the government honest and contribute to running the country.
It needs a joint concerted effort. Something should be done. Find people who can do the job. Find real leaders. Lets!
Comment by Pete George — June 14, 2011 @ 8:45 am
I’ve been thinking who would be good for a list. People who are good in their fields and who get things done.
Where are the John Tamiheres and Gareth Morgans? What about the Graham Edgelers? Get something going, anything’s got to be better than the sorry bunch of choices we have at the moment.
Comment by Pete George — June 14, 2011 @ 9:05 am
Saying that this proves that Labour is incompetent and not fit to govern is way over the top.
Security on the internet is pretty universally shit – just ask Sony. No one knows what they’re doing, amateurs like me put up websites, and then get hacked. It’s not pretty but Labour isn’t that special on this front.
Comment by Thomas Beagle — June 14, 2011 @ 10:18 am
Some techies mucked up their security settings. that’s the great scandal?
“A party that cannot run itself should not be allowed anywhere near the machinery of government.”
That has nothing to do with the ability of Labour’s politicians to govern. You seem to forget that Labour just governed for 9 years with great success.
A shame to see an intelligent guy falling for National’s spin.
Comment by Deano — June 14, 2011 @ 10:20 am
It’s a party of perpetual incompetence that’s in deep denial about this obvious fact – to them they’re always the innocent victims of endless right-wing media conspiracies.
As demonstrated by the comments of Galeandra, Gully and John above.
Comment by helenalex — June 14, 2011 @ 10:24 am
“…A shame to see an intelligent guy falling for National’s spin…”
Danyl voted for Key, so it is hardly the first time.
Comment by Sanctuary — June 14, 2011 @ 10:29 am
Have to laugh at everybody who still seems to think that this is such an amazing victory in the fight for free information & ending political corruption or whatever the supposed reason for revealing the names of everybody who gives money to the Labour Party. I really doubt the list is going to be released, especially now that the Nats fingerprints are all over it.
Seriously, people writing stuff like this?
“Whaleleaks is a term that might come to be one of those 2011 election year zeitgeist words representing one of the major features of political debate and discussion.”
….
Comment by Hobbes — June 14, 2011 @ 10:38 am
National fucked up something as basic as their gst on spending last election, yet they run our economy now.
You’re assuming they fucked up. Rorting electoral finances is something National are actually quite good at.
Comment by George D — June 14, 2011 @ 10:46 am
@Sanctuary: “Danyl voted for Key, so it is hardly the first time.”
And he’s said that he wished he hadn’t. So too have quite a few others in NZ.
The overall point is, Labour has policy on its side, but its PR has been left to amateurs at best, ever since Helen, H2, Dr Cullen and Mike Munro all stepped down. Conversely, Crosby/Textor, the Nats’ PR hacks, know how to polish even the smelliest turds. What Labour needs now is Brian Edwards or at least someone who can step into his shoes.
@Thomas Beagle: On Internet security, the only truly secure system is Sneakernet.
@PeteGeorge: Tamihere got ousted by Dr Sharples, and the Gareth Morgans of this world don’t really fit the party political system so they wilfully operate outside it.
Comment by DeepRed — June 14, 2011 @ 10:57 am
I think we need another neologism – “to dimpost”: to provide a clear and impressive summary, based on rational analysis, and then to leap to an entirely irrelevant conclusion, based on personal prejudice (to use the technical term, “bee in bonnet”).
Whatever happened with the Labour party HQ computers has nothing whatsoever to do with what a Labour government would do in office. I doubt that Goff, King and Cunliffe could tell you how to change font size.
Not liking the way Labour Ministers ran the government for nine years is one thing. Suggesting that they didn’t know how to do so, is simply idiotic.
Comment by sammy — June 14, 2011 @ 11:00 am
gosh, the party faithful/activist base are certainly in a tizzy over this one.
Comment by will — June 14, 2011 @ 11:11 am
I notice John Key was no-commenting last night. I really think Whale (& Hooten)’s attempt to make something of the content may have queered the pitch for any attempt (by National, and I’m wouldn’t expect the media to do it without prompting) to hand Labour their ass over the data handling. Labour’s failed attacks have often shown that being able to hold focus where you want it is important.
Quite apart from the way, as Keith Ng notes, the actual info seems to be ‘Labour in the thrall of small donors and its general-public masters’.
Also, I wonder if, for the public, the line between ‘hacked’ and ‘stuff with computers I don’t understand’ is pretty thin.
Comment by lyndon — June 14, 2011 @ 11:16 am
I haven’t been at the Stranded for quite a long time (for obvious reasons), but it feels to me that we’ve just become raided here at Dim-Post by Strandardistas en masse…
Entertaining, but also a little bit sad…
Comment by Sam — June 14, 2011 @ 11:17 am
I doubt that Goff, King and Cunliffe could tell you how to change font size.
@ Sammy
Interesting comparison.
Some would argue that (excepting Cunliffe) this lot aren’t exactly a shining example of effective leadership either.
As you say they had a shot for 9 years, but I don’t think many would suggest that either King or Goff demonstrated during their tenure in government the capacity to lead or inspire a nation by example.
Don’t get me wrong; I’m not flying a flag for the Key dog-and-pony show.
It’s just that as an opposition pitching for the reins of power the NZLP caucus do come across as bumbling and frankly, a bit shit at their jobs.
Comment by Gregor W — June 14, 2011 @ 11:26 am
It is quite funny that you go to a campaign page and get a directory list, and certainly suggests internal party incompetence around web server administration. But country-ruining incompetence? A little hysterical methinks…
But wasn’t there some story here around the use of Parliamentary Services fund for party campaigning? Where’s that?
Comment by garethw — June 14, 2011 @ 11:28 am
You can see this as an isolated incident – but Labour has ‘isolated incidents’ like this every couple of weeks. National and the Greens don’t seem to blunder from one ‘isolated incident’ to the next, pausing along the way to demand when the country is going to ‘wake up’ and vote for them.
Comment by danylmc — June 14, 2011 @ 11:39 am
Comes down to money basically. National has a lot. Labour has not much. Im not saying this excuses this gross incompetence, but I think it does show how little you can get in opposition and when you dont have the big fellas backing you up
Comment by max — June 14, 2011 @ 11:39 am
garethw – There was meant to be, but it seems to be all smoke and no fire – otherwise he is at risk of everyone 9esp the media) losing interest in anything he has to actually release. I don’t understand what Slater thinks he will gain by not releasing anything of substance at all (and donor lists aren’t really substance). A power-trip perhaps?
Comment by Sam — June 14, 2011 @ 11:40 am
“the web server software Labour uses (Apache) disables directory listing by default. You have to go into a configuration file and switch it on manually. So I guess that’s what they did.”
This may be true now, but I don’t know if it’s necessarily true for older versions of Apache which they may be or have been running.
Comment by Progger — June 14, 2011 @ 11:53 am
Sam, he got in the news the other day; that’s probably all he was looking for..
Comment by Hobbes — June 14, 2011 @ 11:54 am
“gosh, the party faithful/activist base are certainly in a tizzy over this one.”
Yep, self pity is never attractive but often entertaining
Comment by Tinakori — June 14, 2011 @ 12:02 pm
National has its share of MPs of dubious competence (Quinn, Coleman, Lee for starters) but attempts to make them representative of the party as a whole somehow don’t stick.
Comment by bradluen — June 14, 2011 @ 12:03 pm
I’m left with the feeling that any ‘normal’ person having stumbled across such a phenomenon on some website would get in touch with the site’s admin to tell them “HOLY SHIT YOUR SITE IS UNSECURED”.
Slater on the other hand comes across like a self-important attention-seeking jerk. Quelle surprise.
Comment by Progger — June 14, 2011 @ 12:08 pm
And his video doesn’t prove anything because it leaves out the first bit where he gets access to the Apache config file via a known exploit and switches off the directory-listing suppression.
Comment by Progger — June 14, 2011 @ 12:11 pm
National has its share of MPs of dubious competence (Quinn, Coleman, Lee for starters) but attempts to make them representative of the party as a whole somehow don’t stick.
It’s worked out for the Nat’s because their individual buffoonery has been eclipsed by the electorate’s love affair with JK.
The charming(ish) smile, the contrived everyman blokey/dorkiness, ‘relaxed’ as is his adjective of choice. We love that shit!
A genuine victory for focus group polling and PR over self interest.
Inevitably, as the electorate realises that while the first few years was all about courtship and sweet nothings, the next three will be all about getting fucked and slapped around, that shine will inevitably wear off.
Then the shit will start sticking to the other monkeys.
Comment by Gregor W — June 14, 2011 @ 12:33 pm
his is yet another sign that Labour is not a healthy organisation. It’s a party of perpetual incompetence that’s in deep denial about this obvious fact – to them they’re always the innocent victims of endless right-wing media conspiracies. A party that cannot run itself should not be allowed anywhere near the machinery of government.
I have to agree with many above, this is a long, long bow to draw. I’m not sure we should look to a party’s IT management skills as the best indicator of who is most able to govern. Does it follow that a party that runs its online security flawlessly must have what’s needed to make the tough decisions and get the economy going again?
Ladies and gentlemen, I give you the Government New Zealand Needs To Sort This Country Out (TM) as (implicitly) approve by Danyl:
http://tinyurl.com/6y9nd9y
Comment by Hugh — June 14, 2011 @ 12:40 pm
gets access to the Apache config file via a known exploit and switches off the directory-listing suppression.
Yes I did wonder if this was possible.
I’m no big fan of the current Labour incarnation, and certainly think there have been more than a few political gaffes, but I’m not sure I see this in the same light. I see how safe management of the donor list is a big deal, but when IT lackeys presumedly employed by minor operational wings of the Party itself make silly backup decisions I’m not convinced it’s quite “don’t let the political wing anywhere near the Ministries”
Comment by garethw — June 14, 2011 @ 12:48 pm
If this were an isolated example of incompetence and carelessness then you’d all be right in saying it’s OTT to wail on Labour so hard. But it’s not. This is just the most recent in a long line of events which suggest deep dysfunction. And the most serious, since it concerns personal data (including financial data) given by members of the public to the party in confidence. Public confidence is the lifeblood of a political party. They are presently bleeding out.
Do you need me to list the stupid failures, scandals, errors of judgement and lapses which illustrate a slapdash organisational culture and poor management which preceded this? Seriously — this isn’t a departure from form, it’s a continuation.
L
Comment by Lew — June 14, 2011 @ 12:50 pm
Wot Lew said (although, ironically, it’s ‘whale on Labour’, not ‘wail on’).
http://forum.wordreference.com/showthread.php?t=1215882
Comment by Rich (the other one) — June 14, 2011 @ 12:58 pm
or even ‘wale’. Opinions vary, though usage could be argued to rule…
http://hill-kleerup.org/blog/2009/05/05/wail-whale-wale.html .
Comment by Pascal's bookie — June 14, 2011 @ 1:22 pm
I for one totally endorse this newfound approach. Fuck elections, let’s decide the next Government by hackfest. Side with 1337357 5K|11Z w1nZ.
Comment by George D — June 14, 2011 @ 4:11 pm
let’s decide the next Government by hackfest.
That’s one step close to a technocratic society, I suppose…
Comment by Phil — June 14, 2011 @ 4:45 pm
Looks like Labour’s not the only ones with lax security lately…
Details have emerged has to how hackers were able to steal over 200,000 Citi customer accounts, including names, credit card numbers, mailing addresses and email addresses… Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else’s account.
Comment by gazzaj — June 15, 2011 @ 4:05 pm