The Dim-Post

October 16, 2012

Just a thought

Filed under: general news — danylmc @ 7:58 am

Via the Herald:

Ira Bailey – one of 17 people arrested in the Urewera raids in 2007 – was the first to discover the major privacy flaws in Work and Income’s self-service kiosks but has denied claims he demanded money in return for the information.

Mr Bailey, an IT analyst, said he told the Ministry of Social Development last Monday that there was a security issue, before he tipped off blogger Keith Ng.

If Ira Bailey discovered he had Domain Admin access to the entire MSD network, and all he did was – allegedly – ask for an exploit reward and then tip off a blogger, then he might not have been quite the fearsome terrorist that the police and intelligence agencies thought.

30 Comments »

  1. ‘You’re crazy, what this proves is that this was all a set-up terrists in the Liar-Bore party’

    Or so I’m told.

    Comment by Pascal's bookie — October 16, 2012 @ 8:02 am

  2. Oh please! Obviously he should have quietly fixed the problem himself with a few keypresses, then gone about his business. That’s what one of the Greatest Generation would have done.

    Comment by Andre Alessi — October 16, 2012 @ 8:03 am

  3. And the same goes if he had gone to protest organisation and sign making workshops in the ureweras instead of bomb making and military tactics sessions. And if he had threatened to release sensitive Information if he didnt get paid he might have been considered a blackmailer. funny how when facts and circumstances change, so do perceptions.

    Comment by insider — October 16, 2012 @ 8:31 am

  4. Kieth Ng says he rang up and S*IMPLY ASKED IF THEY HAD ANY SORT OF PAYMENT SCHEME FOR PEOPLE WHO SPOT ISSUES. No asking for blackmail money or such like.

    Comment by Sanctuary — October 16, 2012 @ 9:11 am

  5. If I had acidently found I could access highly sensitive information about children in welfare I would have told the MSD staff there and then. I would have thought there would be some urgency given the nature of the information.

    Comment by NeilM — October 16, 2012 @ 9:19 am

  6. @NeilM

    You would have told the MSD staff, and that’s good. It might have made a difference. Or it might still be sitting on somebody’s desk.

    Now the government – the whole country – is telling the MSD staff, and the chances of making that difference just multiplied.

    Better outcome, no?

    Comment by sammy 2.0 — October 16, 2012 @ 9:34 am

  7. You would have told the MSD staff, and that’s good. It might have made a difference. Or it might still be sitting on somebody’s desk.

    It would have been my first action. I think it would have been a lot of peoples’ first repsonse. If it hadn’t the desired effect then one would have looked at other options.

    The sensitiviy of the information would have made me think there was some urgency to act.

    Comment by NeilM — October 16, 2012 @ 9:46 am

  8. One mans exploit reward is another mans blackmail.
    Can you imagine how much bigger the story would have been if MSD had actually bunged him some readies?
    Govt department pays hush money!

    A fantastic hit put on Paula Bennet diluted with the usual left wing amateurish delivery

    Comment by Barnsley Bill — October 16, 2012 @ 9:55 am

  9. It’s an interesting comment on the nature of civic repsonsibility when there is widespread agreement that one should treat a govt dept in the same way as a multinational corporation.

    Still, even with money making firms, if I had logged onto my bank site and found some security hole my first thought would be not be how much of a fee I might get from the bank but that other peoples’ finances might be at risk as well.

    Comment by NeilM — October 16, 2012 @ 10:22 am

  10. > The sensitivity of the information would have made me think there was some urgency to act.

    Well, it seems that Bailey did inform MSD who looked at their systems and found nothing untoward. I guess that is the problem when you don’t have proof. MSD might have thought Bailey was just a time-waster or crackpot. Now they know otherwise.

    Comment by Ross — October 16, 2012 @ 10:23 am

  11. Well, it seems that Bailey did inform MSD…

    but only in very vague terms, he didn’t say what the problem was.

    Comment by NeilM — October 16, 2012 @ 10:26 am

  12. Nek minnit – every Helenhate porno-publisher and inveterate bennybasher in the land is miraculously transformed into an upright pillar of propriety with a deep and abiding concern for the privacy of ……beneficiaries. And what did Nick Smith resign over again?

    Comment by ak — October 16, 2012 @ 10:32 am

  13. Hardly, this is a massive cock-up. MSD are going to have to start cutting heads off over this.
    But please, don’t paste a hard left left nut job computer geek as a freedom fighter.
    He will be lucky to avoid an attempted blackmail charge.

    Comment by Barnsley Bill — October 16, 2012 @ 10:39 am

  14. It’s a given (and a ridiculous situation) that a public body becomes noticeably more decisive and effective when the media get involved – possibly showing that local managers aren’t telling their national managers about issues until there’s a blogger or reporter on the line.

    Ira was a bit of a dick to ask for a reward, but to label it as blackmail is a weak effort to shift public attention.

    Comment by Ataahua — October 16, 2012 @ 10:43 am

  15. The fact is rewards for information on exploits are normal in the IT industry. I’m betting that a bank would pay a reward for information on an exploit. Therefore, there is nothing untoward in asking if such a reward exists for Winz. It seems pretty obvious that they didn’t take him seriously – otherwise they would have tried harder to get him to tell them about what the issue was. After all, they took DAYS to respond to his initial query.

    Giving the info to a journalist friend is just as innocuous – it certainly made sure that the issue got the attention it deserved and allowed the journalist in question to make a name for himself by doing good work.

    Comment by wtl — October 16, 2012 @ 10:48 am

  16. I know the emperor is naked, but what about that child? He deserves to be punished. And he certainly should never have asked for a lollipop.

    Comment by Stephen J — October 16, 2012 @ 10:54 am

  17. Let’s update our dictionaries. It’s not blackmail. It’s called “behaving like Warner Bros”.

    Except they got the cash.

    Comment by sammy 2.0 — October 16, 2012 @ 11:01 am

  18. If blackmail had actually occurred, wouldn’t MSD reps have raised a complaint with the Police?

    Just a thought…

    Comment by Gregor W — October 16, 2012 @ 11:05 am

  19. “Can you imagine how much bigger the story would have been if MSD had actually bunged him some readies?
    Govt department pays hush money!”

    Is there any indication that if they had paid him he would have agreed to keep quiet? Breaches like this need to be made public. It’s not about the MSD, it’s about their clients.

    So you can offer them the info and see what, if any, processes they have, or go to the media.

    If the process they have appears to be ‘keep quiet” then go to the media anyway. But their process was, um “No. what are you talking about erm”. Which doesn’t exactly instil confidence that they would be open about what had happened.

    So they released the details, at a time whn the offices were closed, and informed the privacy com, and the msd.

    Good job as far as I’m concerned.

    Comment by Pascal's bookie — October 16, 2012 @ 11:07 am

  20. NeilM,
    @8 “The sensitiviy of the information would have made me think there was some urgency to act.”

    You’re conflating what Ng found with what Bailey found. We know the Ng copied thousands of documents and spent time going through them, and in the process found lots of sensitive records. But Ira Bailey may just have realised there was a hole in the security during a short visit to a WINZ kiosk, and left it at that. We don’t know how much digging he did; there is no comment (yet) to suggest he accessed children’s medication details or the addresses of safe houses. That’s what Ng found, during a week-long investigation.

    Comment by MeToo — October 16, 2012 @ 11:08 am

  21. Are there any businesses or organisations in New Zealand that offer exploit rewards for their systems? I’m not clear on whether this is a globally common thing or if it’s also common in New Zealand.

    I would’ve been surprised if any part of the NZ government offered exploit rewards, but mostly going from my introspective impression of the general culture here compared with some other countries.

    Comment by izogi — October 16, 2012 @ 11:13 am

  22. But Ira Bailey may just have realised there was a hole in the security during a short visit to a WINZ kiosk, and left it at that. We don’t know how much digging he did…

    he did enough digging to come to the conclusion that the hole wasn’t trivial so leading him to think the govt might pay a fee.

    Comment by NeilM — October 16, 2012 @ 11:52 am

  23. Oh for God’s sake, don’t tell me this is going to be another political scandal involving a huge series of unexpected twists and turns and new characters in the plot emerging out of the woodwork every five minutes? Haven’t we had enough of backstabbing and security breaches, extortion, etc, this year?

    Comment by Dan — October 16, 2012 @ 12:38 pm

  24. >Can you imagine how much bigger the story would have been if MSD had actually bunged him some readies?

    It would never have been a story at all. The kiosks would probably have just been fixed up and still operational. Now, it’s a huge story and is going to cost taxpayers a lot more money. That’s how things are done in non-corrupt countries. It’s generally better, but in many ways it’s not better.

    Comment by Ben Wilson — October 16, 2012 @ 12:44 pm

  25. It turns out the the Winz was aware of the issue from APRIL LAST YEAR and didn’t do anything about it: http://www.stuff.co.nz/national/politics/7821061/MSD-concedes-Winz-security-failure

    This was from a report looking at security holes in the kiosks. If they didn’t do anything in response to that report, they definitely wouldn’t have done anything in response to a tip off from Bailey. So in other words, Bailey and Ng have done us a huge favour and making sure this gets dealt with.

    Comment by wtl — October 16, 2012 @ 12:48 pm

  26. “Hah – your analysis is weak. As usual, Whaleoil has a far more plausible and logically consistent assessment of this dangerous terrorist’s character.”

    Interesting, Cameron Slater is intentionally misrepresenting a number of aspects of this story, and deleting replies.

    Comment by mike — October 17, 2012 @ 12:15 am

  27. The ethics of Bailey’s and Ng’s are irrelevant (personally I do not think they have done anythink dubious).

    What matters is the security breach, which Winz knew about, which Bennet shoild have known about (and probably did not).

    Danyl, you are wanking all over your blog spot.

    Very disappointing.

    Comment by peterlepaysan — October 17, 2012 @ 7:18 pm

  28. Nobody in the govt is attempting to defend the error.
    But Baileys involvement is suspicious

    Comment by Barnsley Bill — October 17, 2012 @ 7:28 pm

  29. “But Baileys involvement is suspicious”

    Why? Tens of thousands of people or more in New Zealand would likely have the skills and aptitude to stumble on this security hole if they were in the right place and coincidentally trying to do the right thing, know what it meant, and potentially abuse it. We only have his word to be sure that he didn’t actually abuse it, but that’s nothing compared with all the people who easily could have done so until now. We’ll probably never know how many bulk copies random people or investigators might have made throughout the past year just in case the data might be useful later. To top it off, however, he actually told someone for the better interest of the public to know how crappily their information’s being treated.

    Comment by MikeM — October 17, 2012 @ 9:19 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: