Welcome to this week’s casual kōrero thread!
This post will be pinned in this community so you can always find it, and will stay for about a week until replaced by the next one.
It’s for talking about anything that might not justify a full post. For example:
- Something interesting that happened to you
- Something humourous that happened to you
- Something frustrating that happened to you
- A quick question
- A request for recommendations
- Pictures of your pet
- A picture of a cloud that kind of looks like an elephant
- Anything else, there are no rules (except the rule)
So how’s it going?
Happy new year.
I’m about to start a new job! Excited.
Congratulations, new year new job!
I tend to get new jobs in the winter for some reason.
Hmm for me it’s almost always in the new year or at the end of the year… so even this one fits the pattern.
Anyway, I think IT job market is finally picking up a tiny bit. Hopefully we’ll see more this year.
Happy New Year everyone! (if a few days late)
Happy belated new year to you and everyone aswell
Holidaying in India and I’m stupidly glad I didn’t grow up living on a traffic island in a large intersection. Lots about this place is wonderful but there always that undercurrent of brutal systemic factors…
I saw today on RNZ about the manage my health hack that it was a single module that had been exploited via a valid password. Presumably they weren’t limiting or sanitizing input, allowing lateral retrieval of others’ records? I was curious if there were any more details around it?
I’ve only been vaguely aware if what’s going on… For MMH, the timing is probably fairly convenient with everyone enjoying summer rather than reading the news at work?
I don’t have any insider information so I’m just spitballing here :D but I have worked in health IT field before and I’m not even a little surprised that bugs like these exist - and have been exploited.
Poor authorisation handling bug is quite common. Authentication is largely a solved problem what with OAuth (not that a lot of NZ health IT providers use it… sigh) but each software developer still has to solve the problem of authorisation. And it’s just all too easy to forget that random IDs are not secure and are not even random.
Sounds like a case of enumeration. Login to your account and get sent to
www.nzhealthsite.nz/loggedin/1234then go and manually edit the url towww.nzhealthsite.nz/loggedin/1235the site is only checking that you have logged in and are allowed to be in the secure area and not checking what information you are allowed to have.
