Scaremongering on credit cards

Written By: - Date published: 7:22 am, June 16th, 2011 - 100 comments
Categories: blogs, dpf, Ethics, making shit up, national - Tags: ,

Cameron Slater is still spreading disinformation about the data taken from Labour’s web site. Specifically he is claiming that people’s credit card details are at risk:

The problem however was much worse than that. Way worse. Remember that Chris Flatt the Labour General Secretary sent out a letter and email to their donors assuring them that their credit card details were safe. He shouldn’t have been too hasty with that assurance.

Their credit card provider admin details were:

“Flo2Cash_Donate\”;s:9:\“user_name\”;s:8:\“nzlabour\”;s:8:\“password\”;N;s:9:
\“signature\”;N;s:8:\“url_site\”;s:63:\

“https://secure.flo2cash.co.nz/donations/labourparty/donate.aspx\”;s:7:
\“url_api\”;N;s:9:\“url_recur\”;s:63:\

“https://secure.flo2cash.co.nz/donations/labourparty/donate.aspx\”

I never accessed those areas, to do so would have been illegal.

OK that’s pretty funny! Those aren’t “areas” – they are secure (encrypted) links to the web site of the transaction handler Flo2Cash. Slater couldn’t “access” them in a million years. Credit card details go straight to the Flo2Cash server without ever touching the Labour Party site. Neither the username, nor the password needed to access Flo2Cash were stored in the site database that the Nats (and subsequently Slater) accessed. See the statement from Flo2Cash below.

Having demonstrated complete technical incompetence, Slater heads off in to the realm of pure scaremongering:

But given that their systems were open and exposed long enough that Google and 9 other bots were able to cache the entire directory system there is a good chance that Russian or Nigerian scamsters also were able to obtain access to the data base and credit card processing passwords that Labour left exposed. Chris Flatt can not give any assurances that their donor details including credit cards were safe and secure.

Farrar (who should know better) is repeating this drivel. Whether they’re just stupid, or whether they know they’re spreading lies, it amounts to the same thing. National’s bloggers are trying to spread disinformation and concern amongst innocent members of the public. It’s a scummy tactic, but then that is their usual style.

100 comments on “Scaremongering on credit cards ”

  1. PeteG 1

    Whether they’re just stupid, or whether they know they’re spreading lies, it amounts to the same thing. National’s bloggers are trying to spread disinformation and concern amongst innocent members of the public. It’s a scummy tactic, but then that is their usual style.

    That’s an interesting accusation coming from you R0b. What would you know about that sort of tactic?

    I don’t like some of what is being done over the credit cards, but it seems like dirty political business as usual, it’s what polipeople want.

    [lprent: r0b doesn’t. In fact he leans over backwards not to. I note that you have offered absolutely nothing to backup that statement. If you read the policy you will find that we don’t allow this type of unsupported underhanded attack on our authors.

    Banned for a two weeks. You should be careful – after this level the ban lengths really start to escalate. You’d have to ask yourself if the cheap thrill you experience is worth it. Even a critic who never says much of substance should be able to understand that. ]

    • wtl 1.1

      FFS, surely if you are serious about improving NZ politics you should be criticising all sides when they blatantly make shit up.

      And yes, you can do that at the same time as trying to point out the ‘Your NZ’ will offer a great new way of doing things. Frankly, it doesn’t inspire much confidence in you or ‘Your NZ’ when you refuse to take a stance on issues such as this.

    • RedLogix 1.2

      I don’t like some of what is being done over the credit cards

      Yeah but you can’t quite bring yourself to condemn it can you?

      • PeteG 1.2.1

        I’ve already condemned it – I’ll repeat specifically if you like.

        It had to be revealed that credit card information was potentially at risk. That’s where I think it should have ended, there should have been no consideration that any of the credit card information should be revealed by anyone, nor threatened.

    • r0b 1.3

      That’s an interesting accusation coming from you R0b. What would you know about that sort of tactic?

      I don’t spread lies to scare innocent individuals.  You can apologise for that shit PeteG, or you can have a week off.

      [lprent: Just banned him. That is one of the self-martyrdom offenses. Sorry, you cannot protect him from that type of offense by getting in there first. ]

      • PeteG 1.3.1

        Attack bloggers for the Nats, a party which runs as a franchise of an Australian company (Crosby Textor)…

        You can’t make this stuff up…

        I think you did make that stuff up.

        If you don’t consider innocent individuals read this blog, and if you don’t think anyone reading this blog is scared by CT paranoia, then I’m happy to apologise.

        [lprent: You’re putting up a sentence of satire from a sarcastic as an explanation? That is beyond being weak.

        Well I have already banned you. But add another week for apparently lacking sense of humor or proportion – but mostly for being really stupid. I could do with the time off from reading you.

        See you in July. ]

        • Gosman 1.3.1.1

          Yes but left wing scaremongering is okay because the ‘evil’ capitalists are really out their trying to screw the workers and eat their babies.

        • r0b 1.3.1.2

          I think you did make that stuff up.

          I think you haven’t read The Hollow Men.

          Anyway, I see that lprent has already sorted you out, so see you in 2 weeks I guess.

        • Kevin Welsh 1.3.1.3

          Ha! More time to watch your Pollyanna DVD collection now PeteG.
          All together now, lets sing the ‘Glad’ song…

      • PeteG 1.3.2

        You’re opening yourself up to claims of political censorship, but I guess you know that.

        [lprent: *grin* I have to let this idiotic comment through. This is from someone who has his own site, and who spends a lot of time commenting at the sewer – hardly short of outlets. What I suspect that he actually means is that he’d like to keep freeloading his party and site on this site’s readership.

        If so, then he should have taken notice of the policy and avoided letting his own behavior fall into a zone that I’d have to act on. There are some behaviors that I don’t tolerate on the site and making unsubstantiated attacks on authors is pretty close to the top of the list.

        It is hard enough to get people to come on board and write the posts without having a blowhard coming in and slagging them off with nothing supporting their statements.

        He was just lucky that he’d accumulated enough brownie points from his comments. My first instinct was to ban him until after the election (and no – I cannot be persuaded to change my mind) ]

        • Jim Nald 1.3.2.1

          Thanks for sparing me from reading rubbish.
          I’ll express my appreciation by doubling my next cash donation to The Standard.

          • Anne 1.3.2.1.1

            My thanks too and there will be a cheque coming in the post.

            • hawk 1.3.2.1.1.1

              Yes using a credit card would be rather unwise, I agree. Labour dont have a great track record of protection.

              • Draco T Bastard

                Actually, they have an excellent track record. Or, to put it another way, one breach does not make track record – unless you’re a National Party stooge stuck on repeat.

              • Anne

                Tongue in cheek hawk.. tongue in cheek.

          • Jim Nald 1.3.2.1.2

            Well, National’s secret and blindingly obvious trusts, eg Waitemata Trust, won’t be getting any of my money this time.

  2. Luva 2

    r0b you are giving crazy whales story way more legs than it deserves.

    In my opinion he was never going to do anything with the data he found. He wanted to send the blogosphere and specifcally the far left blogosphere into a tail spin. And given the enormous amount of comments on this subject this week he has suceeded in his mission.

    He doesn’t care about the morality or legality of his actions. Whale lives and breathes off the reactions he gets from his posts. Ignoring him would suffocate him. Daily ranting about him brings him back to life

    • r0b 2.1

      r0b you are giving crazy whales story way more legs than it deserves.

      After it blew up in their faces, it needed all the legs it could get.  And in particular those lies on the credit cards, designed to scare specifically targeted individuals, needed to be countered.

      • Luva 2.1.1

        I acccept your point but I don’t think he will see it like that. I don’t know the guy and hope I never do but I’m guesing he is pretty proud of himself right now and keeping his delusions alive will bring a smile to his fat face.

        As for the rest of the world, are they interested in techie geek talk or political sniping? Thats all this story is now.

        Lets move on to talk about our shit salary increases this year and the causess for that.

    • lprent 2.2

      Are you saying that we can’t trust what anything that Cameron Slater says? That he routinely blusters and lies about fact?

      Not your usual line is it?

      I think that this story has some legs, especially the way that the National party is using their poodles to spread their dirty tricks. I for one intend to continue.

      • Luva 2.2.1

        Lynn I am certainly saying that.

        I may be a rightard but i will call bullshit on a fool like whale more often than not

        • Draco T Bastard 2.2.1.1

          And, I suspect, work hard to try to shut down the stories that hurt the right like you’re trying to do with this one.

      • Colonial Viper 2.2.2

        This story about National doesn’t just have legs, it has wings!!!

        Chicken wings, by the looks of what National and Slater are backpeddling on!

    • Peter 2.3

      I suspect you are oh so right about this guy living off reactions etc. I’ll be making another donation.

      • Jim Nald 2.3.1

        Indeed. Ditto. Will stop by the local Labour office and make a cash donation at midday.

        • Colonial Viper 2.3.1.1

          Yeah I’ve already decided to up the level I’m donating to Labour. And I think its time I threw more money at The Standard.

          My honey won’t mind me forwarding on a bit of cash from her Daddy’s trust account.

  3. Gosman 3

    Curious that you have an issue about the scaremongering about credit card details yet one of the regular members of this site sent a letter to both Peter Goodfellow and Cameron Slater in which he specified that he was concerned that they had his credit card details. Isn’t this scaremongering as well then?

    • Morning Gosman.

      See below.

    • r0b 3.2

      Yeah that just shows that the lies that the Nat-bloggers are spreading are working to create fear Gosman.

    • lprent 3.3

      You mean that that a lawyer should have known what a web server configuration looked like and realized that Camerson Slater was lying again.

      I think that you are either a little generous on your understanding of what they teach at law school or more likely you’re just doing a diversion spin.

      • Gosman 3.3.1

        Well as your stated position is that anything coming from Cameron Slater position is likely to be a lie then perhaps you need to pass this piece of advice on to comrade mickeysavage to avoid the embarrassment of him taking Cameron Slater at his word in future 😉

        • jackal 3.3.1.1

          It’s best to assume that everything oozing out of the oil lard is a lie when he has been shown to be untruthful on numerous occasions. The presumption of untruth needs to be disproved by him, and as such is not likely to be forthcoming (because the information does not exist or he is to much of a coward to present it) we must err on the side of caution and his history and say that lard arse is lying in a vain attempt to damage Labour. In this case it’s the presumption that old blubber guts is telling the truth that is the problem.

          Very few people will believe the word of a discredited blogger over that of Labour, especially people who already support the party and know a little about oil lard. In this instance he would have in fact turned many supporters against National for their possible involvement in the underhanded campaign… The ones who are mentally capable of determining the truth of the matter that is.

  4. I must admit I got sucked in by Whale about the credit card numbers after watching his video.  I made the fatal mistake of taking him at his word.  From now on if he says today is Thursday I am going to check a calendar.

    I agree with Luva that this has been a huge beat up and a damp squib in terms of the shock horror revelations.

    And I wish PeteG would discuss specifics.  These broad generalised statements he keeps making are driving me nuts.  It is like wrestling with a flamange.

    • Gosman 4.1

      Morning mickeysavage 😉

      So you agree that it was a tad rash of you to send off that e-mail demanding that the National party let you know what information they had about you and your credit card details then?

      • mickysavage 4.1.1

        No I still want to see what information it holds.
         
        I am in the fortunate position where I am happy to be branded as a Labour Party activist.  There are others, for instance public servants, for who any sort of publicity could be very damaging.  So the privacy issues relating to the data need to be respected.  Presuming that further consideration by the Privacy Commissioner is necessary then a complaint by an affected person as well as the party will be required.

        • Gosman 4.1.1.1

          Quite possibly but there is the potential embarrassment fact that the privacy commissioner will actually come down harder on the Labour Party than anyone else for failing to take proper precautions around the protection of the data.

          I have worked in banking for a while now and there are serious implications, (including large fines in some cases) for allowing customer data to be readily accessable in the way the Labour Party has done in this case.

          Are you also writing to the Labour Party demanding that they put in place proper I.T. security to protect your information or is your real issue on this more politically motivated?

          • lprent 4.1.1.1.1

            Don’t know about micky, but I have made my displeasure about events known to people at the NZLP. Unlike the National party, we are both members of the Labour Party. So you send polite letters to National and get quite sarcastic within conversations with people at Labour.

            And Gosman, point to something that the banks would consider to be a issue. There is no information that is sensitive to the banks in the exposed directories. It doesn’t show any credit card details

            I know the ones used in NZ and a couple of other countries because I have had to code to their standards. There is nothing there that would constitute a problem under the various bank guidelines. I’d guess that you are just raising yet another diversion.

            Perhaps you should make clear your opinion on what The National Party and Whaleoil have done? Do you think that it is moral and ethical to expose peoples private information to merely make a political point?

            • Gosman 4.1.1.1.1.1

              I’m really not fussed by it to be honest as I quite like the idea of open information disclosure, (although I admit it comes with serious risks).

              The US Government had a massive problem with the Wikileaks cables and took the position that it seriously compromised the ability of US diplomats to do their jobs properly and may potentially lead to harm to some people. However that didn’t stop certain people from publishing some of the information, (including on this blog if my memory serves me correctly), to make a political point.

              Do you have a problem with this sort of thing lprent?

              • lprent

                Do you have a problem with this sort of thing lprent?

                I think that I have made my thoughts on this quite plain on wikileaks, the hollow men, and even this one. I generally follow the legal basis because a lot of thought has gone into balancing out the differing competing rights and obligations. 

                If you want a short answer (I get complaints that some of my comments and posts are long), I’d say that I’m not as simple as you are in the balance.

                With wikileaks, there is at least one person (probably Manning) who released the information. They had obligations that they clearly violated and they will be prosecuted for that. It is likely that there is one of more persons in the National party who did the release of the hollow men e-mails – and the same thing should apply to them.

                Quite frankly it is a risk that you take as a whistle blower because you are violating a position of trust and there should be consequences for doing that. Even whistle blower legislation doesn’t usually shield people from that. If present then it merely mitigates the consequences.

                With journalists it is a whole different matter. The legal systems recognize a public good in having journalists being able to publish information where it is received in an unsolicited and unpaid for fashion. That is enshrined throughout legal systems in democracies and other types of societies. That is the transparency you are referring to.

                Again, most of the legalities reduce but do not remove legal consequences. It simply makes the burden of proof harder to obtain for prosecutors. For instance the ‘shield laws’ in various countries will normally protect sources, but there are circumstances where it will not. 

                Wikileaks and the newspapers that published the information are clearly covered by those protections as the US justice department found out. They look like they have failed to build a case that is likely to succeed against wikileaks or the newspapers.

                So when one of these cases comes up I look to the existing legal structures rather than doing as many do (like yourself?) and make legal principles up based on what you’d like to see happen. I’m afraid I have little respect for such wishlist blathering.

            • Gosman 4.1.1.1.1.2

              BTW Cusomer name and address information is regarded as reasonably sensitive data in the Banking world. While not as vital as credit card or bank account information releasing it into the public domain is still not acceptable.

              • lprent

                Yep, and it is typically not covered in the standards as a requirement.

                They are in the sections that make up the “security concerns” parts of the specs. Those are the ones to do with looking at how secure a system is in overall terms. Those also include a range of concerns such as physical security, vetting of personnel, auditing procedures, etc etc. They apply to corner dairies with their highly secure* eftpos terminals as well.

                * that was sarcasm for those who have humor deficiency issues

              • Colonial Viper

                While not as vital as credit card or bank account information releasing it into the public domain is still not acceptable.

                Which is what Whaleoil’s National paid lawyers will finally have managed to get through to him.

              • ianmac

                A few years ago I was given a huge stack of computer printout paper to draw on. It turned out to be the printout from a local bank and at a glance I recognised local names and details. Hells Bells. I got my trusty guillotine out and slashed the pages especially on the left hand side as the names appeared to be thus. Am sure that that would not happen today though. Pity Whale couldn’t have done the same thing, though with other bits fed to the guillotine.

  5. ghostwhowalksnz 5

    128 bit encryption ? Isnt that a bit weak these days

    • lprent 5.1

      Not uncommon on payment sites. If you are looking at man in the middle attacks there isn’t much point in having encryption on one leg that is stronger than that on other legs. Typically the banks set their standards long ago.

      I must pop on to the computer downstairs. I can’t read the flo2cash statement on my iPad.

      • Bazar 5.1.1

        128bit encryption is perfectly fine. Its already in the overkill stage.

        It’d probably take more energy in our solar system powering a pc for a trillion years, then to crack 128 bit encryption given a brute force attack.

        There was something like a slight flaw in a leading encryption alogorithm discovered a while back, if it uses that alothirim, then perhaps it’d only take a billion years and the power of our sun to do it.

        • infused 5.1.1.1

          Not quite. There is a reason you cannot use more than 128bit encryption in the US. It’s not crackable in our lifetime. 128 is.

  6. ron 6

    Can we all just agree that Slater et al are f*#k heads and leave it at that?

    • ZeeBop 6.1

      Sorry but hasn’t Slater broke the law if he suggests that? If a donor is forced to change their credit cards at time and cost, then finds out that Slater never had the details. So he must have them. Any credit card company would be very concerned by what Slater is saying, it makes them look bad too, the more cases of credit card numbers the less integrity there is the their product, and so will they be mighty happy to take Slater to task if he were lying. Oh, oops, maybe the data has fake credit cards numbers, like a bank who hold a marked bank note in the cashier draw.
      Slater should be more mindful of the wikileak of massive amount of US intelligence, just because
      a diplomat says it in private does not make it US policy. How exactly does Slater know those are correct credit card numbers.

      • Kaplan 6.1.1

        That is a very interesting point. I know for a fact that my credit card details will be in there. I wonder if a complaint to the police about my information ‘potentially’ being stolen is warranted?

        • lprent 6.1.1.1

          Your credit card details won’t be there.

          However information that you have provided to Labour for a specific purpose is now in the hands of Whaleoil (and probably the National party – somehow I don’t really believe their “I didn’t inhale defense”). There is nothing to prevent you from making a complaint as there is a prima facia case that information you own (as the privacy act makes quite clear) is in the hands of someone not authorized to have it.

          • Gosman 6.1.1.1.1

            Yes but who is at fault here for the information getting into the public domain. If it was in a banking environment the onus is on the bank to keep your information securely and if it doesn’t then the issue is with the bank who stored the information not with the people who accessed the information. One of the reasons for this is practicality. If 1000 people accessed your information it is obviously difficult to try and get recourse from each of these 100 people. It is much easier to go directly to the organisation that should have kept your information securely.

          • rouppe 6.1.1.1.2

            Then the complaint should be against the Labour Party. They were the ones who collected it and are responsible for making sure it isn’t compromised.

            Principle 5 of the Privacy Act.

            • Kaplan 6.1.1.1.2.1

              I completely disagree. If I give any property or information to someone and they leave it unsecured, sure I can be upset with them, but if an unauthorised person takes it KNOWLINGLY from the people I have entrusted it to then they are the ones that have committed the crime.
              In this case it’s Cameron Slater who ‘claims’ to have my credit card details. I’ve never authorised him to have them so a complaint to the police seems warranted.
              At the very least I am going to ring my bank and seek their advice. Perhaps they will take a complaint against him.

              • rouppe

                What crime?

                This is akin to some Labour staffer dumping the records into a skip and then complaining that someone went through the skip and pulled them out again.

                This is not akin to someone entering your home. Your home is private property. An unsecured server is public. If you have wi-fi at home and haven’t secured it, you can’t complain if someone uses your bandwidth.

                It is up to the collector of the information to ensure that it is secure against loss, access and disclosure. The collector was the Labour Party.

                • Draco T Bastard

                  Pretty sure that going through someone else’s rubbish is illegal. It’s still their rubbish.

                  • rouppe

                    If the skip or rubbish bin is in a public place then it is most certainly not illegal.

                    That is why Police can sift through rubbish dumps without a warrant, whereas they can’t sift through your house without a warrant

                    • Draco T Bastard

                      Nope, When I worked for a contractor that dealt with rubbish in Auckland we had to get permission from the council before we opened the rubbish that had been dumped to see if we could find an address to charge the bastards.

                    • The Voice of Reason

                      It’s both theft and trespass to take from bins on private property and it’s a handy real world corollory to the digital world charges Slater would face if he had the guts to go through with his threat to publish the names.

                    • rouppe

                      Fair enough.

                      I concede I was wrong on that point.

                  • Bunji

                    Yup taking or going thru rubbish is illegal.

                    • Jim Nald

                      Indeed.

                      For the NZ context, the Crimes Act is applicable and see also this piece:

                      http://www.odt.co.nz/opinion/opinion/42471/there-are-ways-and-ways-thieving

                    • McFlock

                      Yeah the police can search a dump because the owners (the local council) let them, although if the council said “no” the police would then need a warrant or statutory power (e.g. s19 search powers).

                      It varies from country to country, but generally everything is owned by somebody. Some places let you take a person’s rubbish bags from the street, but if the refuse contractor is paid by the tonnage then you’re stealing from them. If they have a nice incremental revenue stream from salvage/ reuse/ composting, then you’re stealing from them. Some countries/ states  regard rubbish bins/bags in the street as “plain view” searches, but it still belongs to somebody.

                      Nice try though.

                  • ZeeBop

                    If you pick rubbish up to recycle it, then I think that’s permissible. I think
                    where it gets illegal is when information is gathered from the rubbish,
                    since the rubbish is paid by the owner to have it removed, and the
                    expectation that the rubbish remains private is assumed. The theft is
                    the loss of privacy. If you have information you want to dump in
                    the rubbish, and there are people who will take newspaper to read
                    out of the paper recycler bin, then you should put the information
                    in with the wet rubbish, DUH.

                    Now what about dumpster diving. Well yes there is a commerical
                    interest to have the food go to waste, so consumers but new, and
                    the health issues. But conversely if you can’t afford it, are in end
                    of food, can’t get a benefit because WINZ don’t believe in the social
                    security net, then I would say plunge away.

                    Now what about the yellow pages, great for recylcing, but
                    the owner might have written in the margins. Mostly undiscernable
                    but some might make sense. So should that information then sit
                    in your fire basket waiting for years to dry out with information
                    that a person left on it, well if they also wrote their name on the
                    yellow pages!!!! Who does that??

                    I think once you have come into information that you should
                    not of, like you come into possession of property, you have
                    a duty to take it too the police and if nobody claims it, then
                    claim and use it????? Would Police be reckless if they let you have
                    the used needle you found back?

                • If you have wi-fi at home and haven’t secured it, you can’t complain if someone uses your bandwidth.

                  rouppe, why on earth do you think that – in these circumstances – someone can’t complain? I certainly would. If I can’t complain about someone doing something that is wrong and that they would know was wrong, then under what circumstances would I be able to complain about anything? (Please don’t answer ‘If someone broke the law’ because that would be the reduction of social sanctions to legal sanctions – and no society could exist on that alone.)

                  Should we have no expectations of each other’s behaviour?

            • mickysavage 6.1.1.1.2.2

              This issue is not an either or.  

              I am absolutely certain there has been some private ass kicking within the Labour Party.  I am satisfied with the steps that have been taken.

              I am also concerned that the Nats have information about me. This does not prevent me or others from asking and the way I see it they are under an obligation to provide.  I am also keen to find out what they thought gave them the right to download the data.

              • Gosman

                I’d suggest your faith in the Labour Party resolving this issue might be blinded by your idealogical bent rather than reflecting what the reality may actually be. It would probably pay for you to do what lprent has done and request an assurance from Labour that your personal information will not be kept in such a sloppy unprotected manner in future.

                • lprent

                  I didn’t request an assurance, that would definitely be the wrong word for it.

                  I have had a series of very sarcastic conversations with various people asking how it happened, what they are doing to fix it, offering my assistance if it is required, and asking what steps have been taken to ensure that it doesn’t happen again. 

                  I think that “arse-kicking” would be a better description. It was an accident and it was one that shouldn’t have happened. But I’ve been around human/managerial/computer systems long enough to know that they will. What I was really concerned about was the way that a single failure opened so much of the system up. There simply wasn’t enough layering of protection in there.

                  However that doesn’t detract from the fact that what the National Party and Whaleoil did was morally and almost certainly legally reprehensible – which is what you seem to want to avoid talking about. I guess you have a double standard?

                  • Draco T Bastard

                    No, he has only one standard – cover up the immoral dealings of NAct at all costs.

  7. Sam 7

    As a spectator, the show that you guys and whale have put on this week has been highly entertaining!

    Thanks! 😀

  8. Tangled up in blue 8

    I noticed on TV3s Firstline this morning that Garner was spinning that National have done nothing wrong and that Labour were trying to blame National for everything.

    • r0b 8.1

      Didn’t see it, but I heard that Garner confirmed that the Nats passed on the details to Slater.

      • Gosman 8.1.1

        Please provide evidence for this please. At the moment it is just hearsay from you.

        • Jim Nald 8.1.1.1

          Here .. ?

          http://www.3news.co.nz/The-Week-in-Politics/tabid/419/articleID/215314/Default.aspx

          From around 2’53 – 2’58” (out of 4’16” … although note that the timing on the clip restarted part way)

          Duncan Garner:
          “if you look at some of the hits on the Labour Party’s website last weekend,
          yes, someone from National Party headquarters tried to get in there
          although they didn’t and it looks like they passed the information on
          to Whaleoil to go and do it himself which he did”

          • Lanthanide 8.1.1.1.1

            That’s not a “confirmation”, just Garner repeating hear-say.

            • Pascal's bookie 8.1.1.1.1.1

              I though Gos was after confirmation that Garner said it.

              And Garner is saying from the evidence, it looks like National passed it on…

              No?

              • Lanthanide

                r0b said Garner “confirmed” it. r0b could have just said “Garner said it”, but he didn’t.
                 
                So my interpretation of what r0b wrote is that he had heard that Garner had new, inside information which he stated on the show. Whether or not Gosman interpreted what r0b said in the same way I did, I don’t know.

                • r0b

                  Yes, I was careful to point out that I was repeating something I’d “heard” (seen claimed elsewhere).  The person who made the original claim may be correct or not, I don’t know, and don’t have time to find out right now!

      • Tangled up in blue 8.1.2

        I’ve re-watched it and yes although he does say that National didn’t get in, you’re right his comment about Labour blaming National looks to be in context of passing details to Slater.

        http://www.3news.co.nz/The-Week-in-Politics/tabid/370/articleID/215314/Default.aspx

        This week they’ve tried to blame the National Party because if you look at some of the hits on the Labour Party website last weekend yes someone from National Party headquarters tried to get in there, although they didn’t, and it looks like they’ve passed the information on to whaleoil to go and do it himself which he did.

        edit: beaten by Jim!

  9. Jim Nald 9

    I have yet to catch up with the NZ news sites which I tend to shun these days (The Standard is my first call before I look up Google news).

    Can someone tell me whether the so-called list of 18,000 will be publicly released or not?

    I’ll pledge here that for the detail of every one donor that is released, I’ll donate one cent to the Labour Party.

  10. rouppe 10

    Well Flo2Cash might be secure, but the point is that this is only fine once the data gets there.

    The original collection point for the credti card data was on Labour servers, the card (PAN) data was retained when it shouldn’t be, it was retained in a non-PCI-DSS compliant way (i.e. there is no obfuscation of the PAN data), and the server was then left wide open.

    I haven’t seen WO’s files, and I didn’t bother going to look at the cached data. But if there are credit card numbers among that data, then Labour really screwed up.

    [Read the post. There are no credit card details in the cached data. Credit card details were never stored on the Labour site. — r0b]

    • I just went and made a donation.  When I got to the stage of entering in credit card details I was taken to the flotocash website and away from the Labour website.  There was extra code in the url to obviously record who the donation was for but it was definately flotocash’s site.
       
      If anyone else wants to do the same they start at http://labour.org.nz/civicrm/contribute/transact?reset=1&id=1

    • lprent 10.2

      If the long text string in the video is what you’re referring to, then it wasn’t a PAN – wrong format. It looks like a transaction ID or a transaction key.

    • rouppe 10.3

      Well good then. That’s a major concern taken care of.

      That means the only problem is the public finding out who the donors are.

      You thought WikiLeaks was good, and the information disclosed there was protected, and was secured, but leaked by someone in a privileged position.

      Disclosing the names there could lead to their death, but that seemed to be fine. Why is this leak is a travesty of the most humungous proportions?

      • Lanthanide 10.3.1

        1. A lot of the stuff wikileaks has had names and identifying details redacted.
        2. Wikileaks leaked stuff about large corporates, governments, and their mechanations. Not private details about members of the public.
         
        It took me 2 minutes to come up with that. I’m sure there are many other differences between them, too.

      • lprent 10.3.2

        The leak isn’t – that is an accident that needs to be fixed.

        What is of interest is that Whaleoil was talking about releasing private information to the world with no more “public interest” motivation than if he’d want to display his cock size. And it is easy to argue that is what he was doing by publishing the details (doing a “Weiner”).

        Since he has no “public interest” protections in the legal sense, then he should probably be prosecuted at some level for what he did do. Of course being Whale, he will attempt to feebly avoid the consequences of his actions in the same way that he did when he violated the suppression laws. He isn’t exactly well known for his stands on principles – more for his displays of juvenile narcissism.

        The other question is that knowing what Whaleoil was likely to do, why did someone in the National Party, probably quite senior, feel that it was a good idea to pass the details about how to such a juvenile narcissist. That doesn’t seem to be a particularly wise thing to do, and even it was not criminally negligent then you could certainly make a case that it directly violated several aspects of the privacy laws.

    • lprent 10.4

      And besides your statement is that of a technical idiot, how exactly do you get the PAN from the mag stripe on the card into a payment made on the internet?

      • Lanthanide 10.4.1

        He’s clearly just name-dropping things like “PAN” in order to sound like he knows what he’s talking about.

        • rouppe 10.4.1.1

          Actually, that is only part of the information on the mag stripe. The PAN is the primary account number – the number embossed on the front of the card and usually entered in an online transaction.

          It took me less than 2 minutes to come up with that.

          So since you failed in your attempt to divert the question, what is so bad about leaking details about donors to the Labour organisation, when it was OK for WikiLeaks to leak details about different organisations

          • lprent 10.4.1.1.1

            Interesting. I have only come across it in the context of the magnetic strip or smart cards at the programming level.

            But in any case it is still the wrong format if you look at it as a human or as a machine. The payment system is such that Labour’s website never sees the payment details like credit card numbers or CVV’s.

  11. djg 11

    Rob, has the Labour party made the same statement,

    “There are no credit card details in the cached data. Credit card details were never stored on the Labour site.”

    if not will they do so ? I note the letter above from Flo2cash but that only refers to there own site and process.

    It would be a very compelling statement from the President.

    [lprent: It was in the press statement several days ago. Look it up.

    In the meantime I have trashed most of the flame thread that arose from this troll comment as being of zero interest to anyone. djg, you are now on troll watch. CV – constrain yourself or I will do it for you. ]

    • Colonial Viper 11.1

      Hey djg, why don’t you charge for your valuable advice? A-hole.

      [lprent: Don’t feed the trolls. ]

    • djg 11.2

      But I see Colonial Viper’s first abuse remains. That’s nice work.

  12. randal 12

    what the hell uis going on.
    these people have comitted a crime but you are carrying on as if it is just some interweb jape.
    are these crums above the law?
    get the cops on them right away and dont let up.

  13. infused 13

    “Having demonstrated complete technical incompetence”

    Yeah, still claiming it was a security hole eh? yawn

    • Colonial Viper 13.1

      It was an unsecured webserver where confidential information not intended for public access was stored.

      That confidential information was then accessed by parties who did not have authorisation to do so.

      I’m happy to keep repeating this as long as you’re happy to be obtuse 🙂

      • Gosman 13.1.1

        Was the information in question tagged in anyway as being confidential and not for the general public? If not then you are then you have to presuppose that people have to make a distinction between public data on a publically available website and private data on a publically available website. You see the issue there don’t you?

        • Lanthanide 13.1.1.1

          Anyone that could make sense of the data would know what it was and that it wasn’t *intended* for public consumption. Therefore those who specifically took the data *knew* they were taking something that they shouldn’t have had access to.
           
          As we’ve seen with the looting in Christchurch, there’s quite a difference between someone with autism stealing light fittings out of houses because he has an affinity to them, and someone else stealing a generator that was to be used to power a cell-site.

  14. wawot 14

    I don’t know much about this so could you please clarify:

    Your quote from the whale blog has the following bit edited out…

    “….with that assurance.

    In the MySQL data­base files there were also plain txt strings that con­tained other data­base pass­words along with the user name and pass­words of their credit card provider.

    $db_url = ‘mysqli://labour_admin:N0t3b00kC0r0n3t@localhost/labour_production’;

    which equates to $db_url = ‘mysqli://username:password@localhost/databasename’;

    Their credit card….”

    From the example provided the username is labour_admin and the password is N0t3b00kC0r0n3t, which although it mightn’t be a credit card, is a username and password to something?

    After reading a bit on this blog and some on the other blog I’d tend to be scaremongered if I was a Labour supporter.