Sunday, October 14, 2012


So, it turns out that WINZ are a bunch of fucking muppets at computer security, allowing sensitive, private information to be accessed by anyone at any of their kiosks (or indeed, anyone on their network). Including invoices from contractors, address information for beneficiaries, and medical information on abused kids.

Great job, guys. Good to know you're taking care of the extremely sensitive information people entrust to your care.

But it doesn't stop there. You can also access configuration information, including passwords (stored in plain-text, naturally) for WINZ's internal servers.

This is a fundamental failure of basic network security, the level of carelessness you'd expect from ACC or SIS. Heads need to roll for it. Meanwhile, it certainly makes you think twice about their plan for a massive database of at-risk kids. Given their security practices, they might as well be drawing up a shopping-list for pedophiles.

If you'd like to thank Keith financially for his journalism, you can do so here.