www.kiwiblog.co.nz Open in urlscan Pro
203.114.129.100 Public Scan

Back to summary

URL:
https://www.kiwiblog.co.nz/2012/10/ira_bailey.html
Submission: On August 21 via manual (August 21st 2023, 4:50:20 am UTC) from NZ — Scanned from NZ

Form analysis
4 forms found in the DOM

GET https://www.kiwiblog.co.nz/search

<form class="searchform" method="get" action="https://www.kiwiblog.co.nz/search">
  <div class="inputs">
    <div class="input"><input name="q" type="text"></div>
    <button type="submit"><span class="screen-reader-text">Search</span></button>
  </div>
</form>

POST https://www.paypal.com/cgi-bin/webscr

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
  <input type="hidden" name="cmd" value="_s-xclick">
  <input type="hidden" name="hosted_button_id" value="QKC3BFBE6E4Z4">
  <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" border="0" name="submit" title="PayPal - The safer, easier way to pay online!" alt="Donate with PayPal button">
  <img alt="" border="0" src="https://i0.wp.com/www.paypal.com/en_NZ/i/scr/pixel.gif?resize=1%2C1&amp;ssl=1" width="1" height="1">
</form>

POST #

<form action="#" method="post" accept-charset="utf-8" id="subscribe-blog-blog_subscription-2" data-blog="3528345" data-post_access_level="everybody">
  <p id="subscribe-email">
    <label id="jetpack-subscribe-label" class="screen-reader-text" for="subscribe-field-blog_subscription-2"> Email Address </label>
    <input type="email" name="email" required="required" value="" id="subscribe-field-blog_subscription-2" placeholder="Email Address">
  </p>
  <p id="subscribe-submit">
    <input type="hidden" name="action" value="subscribe">
    <input type="hidden" name="source" value="https://www.kiwiblog.co.nz/2012/10/ira_bailey.html">
    <input type="hidden" name="sub-type" value="widget">
    <input type="hidden" name="redirect_fragment" value="subscribe-blog-blog_subscription-2">
    <button type="submit" class="wp-block-button__link" name="jetpack_subscriptions_widget"> Subscribe </button>
  </p>
</form>

Name: form-test — GET

<form class="power-search-form" id="power-switch" name="form-test" method="get" target="_blank">
  <h1 class="power-search-widget-head">Compare Power Companies</h1><label class="power-search-form-label">Save $175 Per Year on Average!</label><input class="ignore form-control pac-target-input" id="address_field" type="search" name="address"
    placeholder="Enter Your Home Address" autocomplete="off"><input id="searched-region" type="hidden" name="region"><input id="searched-suburb-or-town" type="hidden" name="suburb_or_town"><input id="searched-street-address" type="hidden"
    name="street_address"><input id="searched-postcode" type="hidden" name="postcode"><input id="searched-full-address" type="hidden" name="full_address"><input id="widget" type="hidden" name="widget" value="true"><input id="power_search_longitude"
    type="hidden" name="longitude"><input id="power_search_latitude" type="hidden" name="latitude"><input id="can_power_search_get_fibre" type="hidden" name="can_power_search_get_fibre"><a class="glimp-logo-link"></a>
  <div id="widget-power-button-sub-div"><input type="submit" class="widget-button" id="widget-power-button" value="Compare Now"><img src="https://glimp.co.nz/assets/compareswitchsave.png" alt="glimp-logo" class="glimp-logo-img"></div>
</form>

Text Content

* About
* Contact
* Advertise

* Facebook
* Twitter

Menu Toggle Search

October 16, 2012 9:00am by David Farrar

IRA BAILEY

Keih Ng blogs:

> The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He
> currently works as a system administrator, has a young child, and is not
> interested in being the media limelight. That's why he asked for anonymity.

Mr Bailey is not interested in publicity? This must be a recent thing, as he has
sought it in the past.

> He did not have any special access to the system – he just had half an hour to
> kill at a WINZ office.

So Bailey says he just happened to be at a WINZ office, and was bored.

> He plugged in his USB drive and it didn't appear, so he had a poke around the
> system to find it – and found the giant vulnerability instead.

Yeah, I plug in USB drives to computer terminals all the time.

I should make very clear that I think Keith Ng has acted entirely properly and
ethically. He go told of a security breach, he investigated it, he took evidence
to prove it, he notified MSD and the Privacy Commissioner, he revealed the
breach and handed all the data over to the Privacy Commissioner.

I also think Keith believes what Mr Bailey has told him. I'm just slightly more
sceptical of the story that an experienced system admin just happens to be
bored, at WINZ, and accidentally finds it. Especially when you consider what he
then did.

> He called MSD to ask if they had a reward system for reporting security
> vulnerabilities. This is not unusual practice, and it's certainly not
> blackmail. Google and Facebook, for example, both pay for vulnerability
> reporting. It gives them a opportunity to close holes discretely, without
> causing embarrassment for their company.

Yes giant global tech companies have been known to have a reward system. I've
never ever heard of a Govt Dept having such a system, and companies that do,
tend to advertise the fact. I asked Keith if Baily asked for or suggested a
specific amount, and he said no.

It is unfortunate Bailey thought his “accidental” half hour discovery was
something MSD should pay for and did not do what Keith did, and just alert the
Privacy Commissioner and publish what happened – either directly or via Keith.

> MSD called Ira back two days later. They told Ira that they don't pay for
> vulnerability reports. Ira told them he'd been talking to a journalist and the
> conversation didn't go anywhere after that.

I'd be interested in details of that conversation. I'd also be interested in how
after that MSD didn't find the massive security hole. Whom was alerted to the
request for payment?

> Should he have reported the vulnerability, free of charge? Yeah, that would
> have been the selfless thing to do for the public good. But asking to be
> compensated for his troubles is not unreasonable, either. After all, it's not
> as if the people MSD ended up relying on – kpmg – did it for free.

There is a difference between being asked to locate a vulnerability for a fee,
and finding one and asking someone to pay you for it, or otherwise you'll expose
it in the media.

As I said I think Keith has acted entirely appropriately, and I've said so on
radio – his actions has served the public interest. I'm reserving judgement on
Bailey until I've heard more detail.

RELATED STORIES

1. Small on MSD breach
2. Press Council rules against NZ Herald
3. Bailey Kurariki

COMMENTS (80)

* DAVIDP

>I should make very clear that I think Keith Ng has acted entirely properly
and ethically.

I disagree. Bailey was essentially trying to blackmail MSD by threatening to
publicise a vulnerability that might cost people their jobs unless he was
paid. Ng should have revealed the fact that he was helping a blackmailer
extract his utu in his initial report.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:04am

* KEEPING STOCK

It would be interesting to know what was already on the USB drive that Bailey
plugged in to the WINZ kiosk. Is it beyond the realm of the imagination that
he was trying to introduce something FROM the USB stick TO the MSD computer
system?

It’s also interesting to note that in the Scoop profile on Mr Bailey at the
time of his Urewera arrest that he is a friend of Nicky Hager, of the Don
Brash e-mail saga infamy; how convenient.

http://keepingstock.blogspot.co.nz/2012/10/so-many-questions.html

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:07am

* AG

Why does it matter what Bailey’s (or Ng’s) motives were? Does it change the
WINZ failings one little bit? And isn’t THAT the real story (along with the
oversight failure that allowed them to occur)?

Or, let’s say Bailey IS a no-good, blackmailing piece of shit. So what?

[DPF: I’m not suggesting it changes the story. I’ve blogged and said on radio
that the failure by MSD is huge, much more concerning than ACC, and in fact
have said I expect sackings.

But that doesn’t mean the public don’t deserve to know the full background to
what happened. Thee nice thing with a blog is you have no space limits, so
can cover multiple aspects to a story.]

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:10am

* TVB

I was staggered at the range of information that was accessed. I would have
thought it should have been fenced off. It seems all secret information is
held in one place like an aladdins cave. Unbelievable. This is a hanging
offence starting at the top. But watch them wheel up some middle ranking
official and blame him or her.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:11am

* WRECK1080

MSD should have paid — a thousand bucks to plug a hole which will save
millions.

This is not blackmail. He knew of a security flaw, notified msd that he could
provide his services to identify this security hole for them.

MSD probably paid Pricewaterhouse millions to do the same thing, yet, they
detected nothing.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:11am

* MARK

AG couldn’t agree with you more. Bailey’s motives are a sideline to the real
issue is that MSD has a massive IT security failure. I am not particularly
bothered as to what his motives were, I am a hell of a concerned that he was
able to do what he did, and so easily.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:18am

* PETE GEORGE

If Bailey was really motivated by money or publicity:
– wouldn’t he have waited to hear back from MSD before going to Ng?
– wouldn’t he have gone to media with much bigger pockets?
– wouldn’t he have dragged out the revelations like on political hit jobs?
– wouldn’t he have revealed his identity from the start?

We can quibble about motives and methods but as others are saying the
revelation of appalling data security is the big story here, and the
responsible way the revelation has been handled by Ng and Bailey – Ira Bailey
versus MSD.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:19am

* DAVIDP

wreck1080>This is not blackmail. He knew of a security flaw, notified msd
that he could provide his services to identify this security hole for them.

It isn’t the way we do things in NZ. If I’d visited a rellie in hospital,
spent a few minutes wandering around the wards, and spotted some unsafe
situation that might cost someone an injury or their life… then would the
correct thing to do be:

a) Tell the hospital staff so they can fix it; or

b) Ring up MOH. Don’t describe the exact problem so it can be identified and
fixed. Demand to be paid, otherwise I’ll tell Keith Ng so that he can do a
report on unsafe conditions in hospitals and someone will end up losing their
job.

Telling the media isn’t blackmail. Asking for a reward and handing over
detail of the vulnerability regardless isn’t blackmail. Asking for payment
and threatening to go to the media unless you’re paid IS blackmail, and Keith
Ng was an accessory.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:20am

* MARK

Wreck has a good point also. WTF were PriceWaterhouseCoopers being paid for
if they could not find such a fundamental hole in the system security. I
would be fascinated to see what PWC was paid for their services in this area
and to what benefit. Perhaps the government inquiry should extend to what PWC
were contracted to do and what they achieved.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:23am

* NOSTALGIA-NZ

So the leak is fine, the problem is actually Ira Bailey. Got it.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:25am

* ALAN JOHNSTONE

Have these people never heard of vlans ?

Whole thing is an epic fail.

is this run internally or outsourced ?

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:25am

* PETAL

Geez DPF, your fawning over him is awkward. You don’t have to stick the knife
in, but your front-footed support and defence of him is … uncomfortable.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:30am

* YVETTE

Are the technicians now presumably working to fix the flaw working for free?
Ira bailey and Keih Ng would probably like to know how much an hour these
technicians are earning.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:32am

* BEAB

I am sure that if he had been paid he would have still gone public and
claimed he was given hush money. This guy is subversive with links to others
who want to destabilise our society and its agencies. And who knows what
inside assistance they were getting from disgruntled fellow travellers in the
department who long for the return of their Labour mates to power?

As well, once again we are shown what a crowd of incompetents we employ, at
huge expense, in our public departments. If anything is an argument for
privatisation, surely this debacle is.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:35am

* MANOLO

PWC will not come out smelling of roses after this gross failure. The company
appears to have done a very poor job with its “security audit”.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:40am

* FLIPPER

The more this scab is picked, the more the sepsis is exposed.

It is clear that the consultant employed by WINZ to find the “Hole” last year
(their statement), did not do the job – or something was done to the system
at a later date.

That (Bailey’s) USB drive is not a good look since it may have contained the
means by which Bailey and Ng gained entry. In other words the “Hole”.
It is not quite black, but it is very, very murky.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:40am

* DOC

Dear neighbour,
I know you’re overseas on holiday, but I was poking around your place and
noticed that your front door isn’t locked… If you flick me some cash, I’ll
lock it for you… Otherwise I know some guys who will make it worth my while.
Sincerely,
Ira

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:43am

* MANOLO

Once a crook, always a crook. Bailey, Urewera terrorist, is a crook.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:44am

* AUBERON

Either that or someone with an axe to grind or political motives inside MSD
opened the gate and called Ira Bailey and told him where to look. I wouldn’t
be surprised if the gate wasn’t open with PWC went looking. And I expect the
inquiry will tell us a lot more about this. It goes way beyond coincidence.
In fact it stinks to high heaven.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:45am

* TRISTANB

@Yvette and Wreck.
It doesn’t matter how much they technicians are paid to fix the problem. (I’d
guess any experienced network guy could fix the isolated problem in 20
minutes. And it’s a government agency, so they’ll be paying the technicians
too much.) You can’t demand money when you discover a flaw – that’s not how
it works. Besides, he wasn’t offering to fix the problem for a fee, he was
offering to tell them about a problem which he accidentally discovered.

If a parking warden notices the bonnet of your car is very loose, he might
have saved you hundreds in repair costs, but a thank you is all that you owe
him.

Bailey’s demands show where his motives lie however. A greedy swindler, who’d
rather try and make a quick buck than be honest and report the situation. He
put his thirst for cash ahead of the privacy of the children and families
whose details were out in the open. What a despicable person – he could have
helped people, but he wanted dough.

None of this should distract from the initial mistake, but from what I
understand it is a very, very, very stupid mistake to make. Almost too
stupid.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:46am

* LASTMANSTANDING

PWC and KPMG et al are a joke. They charge like wounded bulls and fail to
deliver. Look at the finance company collaspes. These bozos provided the so
called independent reports and valuations that turned out to be a cock of
shit.

Their reputations are shot thru. None of them should be allowed anywhere near
MSD or any other government departments systems.

What with ACC and now MSD the question is whose going to be next. You can bet
your bottom dollar there are systems shot full of holes out there just
waiting to be plundered.

JK should order a complete review of all IT systems by proven independent
parties. Otherwise the citizens can have no faith in any government IT
system.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:50am

* MACDEE

Auberon, I agree with you, there is more to this than meets the eye,
especially as it was exposed just as Bennett announced her proposed child at
risk data base and Adern was commenting in every interview that it was dodgy

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:57am

* BEAB

Doc
Well said. Every day I could go through my neighbours’ letterboxes and find
out lots about them. I don’t. Neither do they.

Shearer is building a ‘gotcha’ world and I don’t like it.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:01am

* KEEPING STOCK

flipper said

> That (Bailey’s) USB drive is not a good look since it may have contained
> the means by which Bailey and Ng gained entry. In other words the “Hole”.
> It is not quite black, but it is very, very murky.

Right on the money. A known activist with no need whatsoever to go into a
WINZ office to access a computer (he works with computers FFS) goes into
WINZ, logs in to a kiosk, inserts his USB drive and suddenly discovers a
security breach…have I got a bridge for you! It’s just too convenient,
especially when Bailey is a known associate of the likes of Valerie Morse and
Nicky Hager. And don’t forget; his sister Emily was one of those convicted of
firearms offences after the Urewera trial.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:05am

* LABRATOR

If Ira Bailey is such a nasty piece of work why didn’t he do more damage with
the material available? He gave his name over freely and gave a return
number. He could’ve easily collated the most sensitive bits of data and
secretly sent that to whoever he felt like, including Shearer, Norman et al.
and had the government running around in a mad fit trying to find out where
this super sensitive stuff was coming from. The last place they would’ve
looked was the Winz public kiosks that’s for sure.

A malicious USB stick? Are you kidding? They used the file open dialog in
Microsoft Word, they didn’t install a trojan. Go down to your local photo
printing place, you can stick a USB stick in there too. Some people even
store stuff, like, I don’t know, their CV on a USB stick, which is kind of
what the whole point of the kiosk was for anyway, to get a job.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:15am

* CAMPIT

> Prime Minister John Key says Government chief information officer Colin
> MacDonald will conduct a Government-wide review of online information.

Why online information? I would have thought a review of internal security
would be in order. Why would the user account used at the kiosk have access
to so many servers? Internally at MSD do staff have access to all servers,
regardless of their role?

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:16am

* KEVIN

Yes the problem is when he got in there he only found information to back up
the public criticism of the welfare gravy train.

Nothing useful to the left except the fact that NZ government computer
systems are NZ custom designed crap designed by ma and pa limited in a garage
in taihape. Now tell us something we didn’t know.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:21am

* DIRTY RAT

I dont know whats worse

The shocking exposure of personal information available through MSD, that
even a two year old could access……

or the hang , draw and quarter hatchet job on the one that discovered it.

I guess if it were Whaleoil, like he did with the adserver hacking, you’d all
be rubbing yourselves in babyoil and commenting on what a fine job that was
done.

WINZ = leaks, poor security, blame the left
ACC = Leaks, poor security, blame Bronwyn Puller
Secret Service = Leaks, poor security, blame DotCom or whoever

A piss poor attempt at deflection

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:27am

* TRISTANB

> If Ira Bailey is such a nasty piece of work why didn’t he do more damage
> with the material available?

Because he’s as stupid as he is greedy?

I think his main motivation was money. That’s why he gave them his name, they
can’t write a cheque to “anonymous blackmailer”. It was only when he realised
the MSD wasn’t going to cave in to his extortion attempt that he clumsily
gave the material to a blogger.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:27am

* HJ

Nicky Hager the objective journalist told us that affidavits don’t mean much
with regard to the urewera molotov cocktail cricket club yet the sniff of any
activity at Waihopai sends him into a fizz. So why does Radio NZ use him for
comment. Wouldn’t Paul Buchanan be (a lot) better?

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:32am

* KEVIN

Nah it was political. These groups will have been trying to hack everything.
I wonder how many times a day banks get attempted hackings?

– but they are too secure.

Then police – too secure

… so they feed down the food chain until they manage to hack big fat slack
old MSD. Bingo….oops …. no book for Hagar here, no brethren, WASPs or
multinationals registered.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:36am

* PAULL

Not convinced. Sure, there’s a mistake here. But it boils down to the kiosk
having access to the MSD network. Sounds like all MSD file servers are
accessible to all staff. That’s pretty common, and windows does an ok job of
finding them when you go “map network drive”. Why kiosks wouldn’t be on a
separate network segment or at least running under an unprivileged user is I
don’t know, but I guess it’s a mistake someone could make.

As for security audit – unless you knew they had kiosks and were asked to
audit them, this would never show up. Security audits usually focus on access
via the internet, not someone already inside the firewall.

Embarrassing, yes. Surprising, no.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:40am

* WRECK1080

Anyone wonder why the MSD managers did not pay him? I bet they wish for a
time machine now.

If I were an MSD IT manager and advised of a massive security hole, I’d have
negotiated a confidentiality agreement on the basis the security flaw was
large.

Why on earth would they not do this? Surely this method is far cheaper than
some pricewaterhouse security audit. I’ve been involved in these big
accounting firm IT audits –they really are a joke. More an exercise in box
ticking.

Anyway, it is a good thing that this has surfaced so now we all know what a
joke these highly paid IT staff are. This is what happens when you put
lawyers in charge instead of technical people.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:45am

* COLVILLE

How do you wank into a MSD office and sit alone for half hour with acess to a
MSD computer?

No point paying him anyways coz he would have outed the hole for public good
anyways after he had taken the dosh.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:49am

* NIGGLY

@labrator, you do make some good points.

Whilst there are more questions than answers at the moment, perhaps upon
reflection (and thinking about political & media game playing that could
result) one shouldn’t be in a rush to condemn Ira Bailey especially as not
all the facts are known.

Sure there are questions one could ask of him, such as, how did he hear about
the security vulnerability? From another source (if so who, someone within
MSD or another MSD client or another activist or even hacker etc)? Does he
have a habit of checking govt/corporate public computers/kiosks for
vulnerabilities (and even if so, I doubt he’d be the only person in NZ to
have done that)? If so, has he been rewarded in the past and thought he would
look for more vulnerabilities elsewhere eg MSD? Or was it something that he
tried for the first time and hit the jack pot? It could even be the latter
here – who knows.

Just saying this because he may be somewhat innocent (and unintentional
consequences of accusing him could result in media fallout for the Govt). But
otherwise if not, then in time once the audits are done we’d have more info
to go on.

Having said this I’m amazed that someone like Ira Bailey could access
sensitive areas with the MSD network. Question: did the kiosks have admin
privileges set which allowed anyone with System Administration knowledge to
browse around (and even if so, it must have been a hell of a high level admin
privilege to get into many systems) or else was this not the case and Ira
Bailey used his SA knowledge to get around internal security measures to
delve deeper? So far Keith Ng isn’t suggesting the latter in his commentary
(but then again I’m sure how much SA knowledge Keith Ng would have). I think
we may need for more info to come out via Keith’s sources or otherwise the
Govt audit before passing judgement.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:54am

* DAVID C

This distinctly smells of Ad Hominem to me

Now I’ll save you some time: oh but no you said at the end what a bad thing
the leak is….nope…that doesn’t fly because the crux of your article is about
the individual. You even headlined it “Ira Bailey”. And then hilariously said
that because he was involved in an environmental movement THREE YEARS AGO
that got some press, you imply he’s a publicity whore.

Then you imply that he couldn’t have been bored with time to kill and at a
WINZ office, and that he must’ve MALICIOUSLY plugged his USB stick in because
WHY ELSE WOULD ANYONE DO THAT?

Which is a good question. Why would he maliciously put his USB stick in? What
possible gain is there for anyone?

Our friend Ira Bailey gained nothing from this. Nada. Zilch. Zip. So he’s
either the worst blackmailer ever, or you’ve just gotten his motives wrong.

You’re clearly not reserving judgement. This whole post is a judgement.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:55am

* KIMBLE

Reward that man!

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:00am

* AUBERON

PaulL, you say “Sounds like all MSD file servers are accessible to all
staff.” Actually MSD chief executive Brendan Boyle refuted that utterly
yesterday – he said the file Keith Ng opened was most definitely not
accessible by most internal MSD computer terminals/users. Which is just one
of a number of reasons why this stinks to me as an inside and politically
motivated job.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:02am

* DAVID C

What part of this is politically motivated? Is exposing a massive security
flaw now considered a partisan action?

The reason you could access these things in kiosks was because when they were
installed they were given “Admin” privileges. Whereas generic MSD staff were
not.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:08am

* OTGO

Maybe the MSD should openly make available these details that Ira so
helpfully accessed? If we the taxpayer are paying these people haven’t we the
right to know who they are and the circumstances that allow them to get on a
benefit?
(OK I’m not so sure about the info regarding safe houses for battered women)

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:09am

* COLVILLE

this is politically motivated the same way that Whaleoil getting in the
backdoor of the LP computer system was.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:15am

* DAVID C

But MSD aren’t a political party? They’re a Government Department. No matter
who’s in Government.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:16am

* CAMPIT

> Why online information? I would have thought a review of internal security
> would be in order. Why would the user account used at the kiosk have access
> to so many servers? Internally at MSD do staff have access to all servers,
> regardless of their role?

Ah, here we go.

> MSD appoints Deloittes to review network security:
>
> The second phase would involve a broader look at security across all the
> ministry’s IT systems, including policies, governance and culture.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:24am

* COLVILLE

> But MSD aren’t a political party? They’re a Government Department. No
> matter who’s in Government.

So this affair couldnt possibly used to attack the govt then?

Like this?
http://thestandard.org.nz/no-accountability-in-national-government/

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:34am

* MARY ROSE

There’s a difference between a blackmailer and a bounty hunter.

But ” Bailey says he just happened to be at a WINZ office, and was bored. He
plugged in his USB drive..”

Has anyone asked him WHY? Has he given an answer?

David C >Why would he maliciously put his USB stick in?

Er, why would you innocently do so?
Only two reasons to plug in a memory stick: to copy things from it to the
computer, or vice versa.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:41am

* DAVID C

Umm WINZ staff tell you to bring your CV in on a USB stick so you can work on
them at the Kiosk.

They don’t allow webmail, and you can’t get to Google Docs so USB is the only
option.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:45am

* MARY ROSE

Ah ok. Never needed their services to find a job, so didn’t know that.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:49am

* KEEPING STOCK

@ davidc – the guy is a system administrator working with computers all day
long. Why would he need a WINZ computer to print off a CV?

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:58am

* DC

I’m not buying his story either. Would someone working in the industry really
be stupid and naive enough to think that an NZ government department would
have a bug bounty program? They are really rare, even for private companies,
let alone the civil service. It seems like a thinly disguised blackmail
attempt. With hindsight they should have paid it anyway, but without details
he probably came across as a scammer. Note that according to Ng he didn’t
mention the kiosks to MSD at all, so they had no idea where to look.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 12:00pm

* MARK

Colville (331) Says:
October 16th, 2012 at 11:15 am
this is politically motivated the same way that Whaleoil getting in the
backdoor of the LP computer system was.

So what if it was. That does not take away the fact that there was no data
security. Why shoot the messengers here. It is a major data security failure
by a government department. The motivations are completely irrelevant.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 12:11pm

* KEEPING STOCK

@ Mark; no-one is resiling from the fact that a major blunder at MSD has been
exposed. But Bailey’s involvement raises some very legitimate questions, some
of which have not been asked yet.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 12:27pm

* PETE GEORGE

If you didn’t think it could be any worse:

> SD security flaw probably found last year – Bennett
>
> Social Development Minister Paula Bennett has conceded it is likely a flaw
> in her ministry’s computer systems that led to a security breach was
> actually uncovered in a review last year.
>
> On Monday, the Ministry of Social Development said an investigation by
> Dimension Data in April last year did not discover the weakness.
>
> Today, it says the company did identify flaws in the system and is not
> confident the right actions were taken after that report.
>
> Ms Bennett says it looks like the same weakness that’s been made public
> this week.
>
> “They had identified a flaw. I think its our responsibility now to find out
> if had been followed up appropriately.
>
> “You have to just say, by what we’re dealing with in the last few days,
> they haven’t been.”
>
> http://www.radionz.co.nz/news/national/118287/msd-security-flaw-probably-found-last-year-bennett

About the only good thing about this is Bennett appears to be upfront about
it.

Maybe Bailey was looking through some old news and decided to check to see if
it had been addressed adequately.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 12:29pm

* LONGKNIVES

“WINZ staff tell you to bring your CV in on a USB stick so you can work on
them at the Kiosk.”

I’d love to see Ira Bailey’s CV-
Work skills: Molotov Cocktails, Blowing up dams, Inciting a race-war…

* 0 0
* Log in to Reply
* Report
* October 16, 2012 12:38pm

* SCRUBONE

The fact that he had a USB drive is neither here not there. The point is that
“looking for it” was the figleaf he used to exuse his poking around the
system if he got caught.

It’s clear that the security on this system… well, using the word “security”
implies that someone actually tried to secure something. They didn’t.

This is basic, basic stuff. Any competent IT person knows that just
restricting access to windows explorer is not going to stop people accessing
the file system or network.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 1:17pm

* PETE GEORGE

> MSD boss admits warnings might have been ignored
>
> Ministry of Social Development CEO Brendan Boyle has admitted his agency
> might have ignored warnings from Dimension Data – the company that tested
> security on its WINZ kiosks.
>
> “We received a report from Dimension Data in April 2011, which identified
> flaws in our system,” Mr Boyle said in a statement this morning.
>
> At a press briefing yesterday afternoon, Mr Boyle said KPMG and Dimension
> Data consulted on security to the MSD. Dimension Data had carried out
> penetration testing on the kiosks and found no issues.
>
> “Since yesterday afternoon I have received further information that means I
> am not confident that we took the right actions in response to Dimension
> Data’s recommendations on security. I will look to the review to provide me
> with the answers.
>
> “We will be asking Deloitte to determine what we did to follow up this
> report’s recommendations and whether our response was adequate.”
>
> He added, ““I can confirm that KPMG was not engaged to penetration test our
> public kiosks. They have, however, been engaged in doing testing on other
> parts of our system.”
>
> http://www.nbr.co.nz/article/msd-boss-admits-warnings-might-have-been-ignored-ck-130774

Possibly eighteen months. A few people may be doing a lot of sweating.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 1:23pm

* KOWTOW

Will the usual suspects in the Lame Stream Media who breathlessly led the
night’s propaganda broadcasts when this sensational “news” broke,do a similar
breathless follow up?

* 0 0
* Log in to Reply
* Report
* October 16, 2012 1:31pm

* REID

Further to Pete’s 1:23, NBR has this story on who may? have leaked Ng’s
source: Bennett.

http://www.nbr.co.nz/opinion/linkedin-trail-leads-bennetts-office-%E2%80%93-ng

One of the dumbest things to come out of this developing farce is the govt
CIO conducting an across-govt review to identify similar issues across every
single govt agency.

I mean talk about politician knee-jerk to a point problem. What is the matter
with Key? Doesn’t the guy understand how expensive this is going to be, for
what will probably be very little result? I would have expected Hulun to do
something like this, since she’s never worked outside of govt where our money
grows on her trees and it’s there for her benefit and we should be gwateful
she’s spending it cos she’s so fucking wise, but Key doing it? WTF is wrong
with this idiot? Hasn’t he ever worked in private enterprise? Oh wait. He
has. Fucking d’oh, Key. This knee jerk reaction speaks volumes about you,
your management style, your political style, your strategic analysis, your
commercial perspicacity and your lack thereof in every one of the aforesaid
arenas.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 6:10pm

* NOSTALGIA-NZ

Good point Reid. Deal firstly with this problem – then expand later if
necessary.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 6:19pm

* REID

Just listened to the Bailey interview on Checkpoint around 6:05 where he
details the exposure, will be worth listening to when its posted on their
site. He alleges in his opinion an across govt audit is necessary. Well he
would say that wouldn’t he.

But let’s get real people. The Kiosk project is clearly to me at a guess, a
project where either the Security Architect was asleep at the switch or where
one wasn’t engaged at all and personally I plump for the latter which means
the project manager was asleep at the switch. I mean, a Kiosk and you don’t
bother about security? Either way, it’s an elementary, no brainer, fucking
d’oh level of mistake which is the IT equivalent of designing a car, clay
models and all, spending millions tooling up the machines, then discovering
when it hits the market that, oh dear, it has square wheels instead of the
usual round ones. This was fuckup #1.

But not only that, a consulting company unfortunately employed only after all
this money had been spent, apparently pointed out that square wheels weren’t
the usual thing and possibly this should be investigated. This was fuckup #2.

Now this doesn’t happen everyday does it. Not too many cars with square
wheels hit the market, do they. Same as this. So what the heck is the point
in overreacting the way Key has, notwithstanding the monstrous incompetence
on the part of someone, an individual, that this represents?

But FFS, the point is, you don’t need Deloittes to tell you what went wrong,
you would easily find this out if you wander down the corridor and talk to
the staff, which is precisely what Deloittes is going to do, isn’t it. The
reason why the CEO appointed Deloittes is because of this look she gave him.

One main reason why both govt and corporate managers hire the big six IMO is
because of their reputation and their massive liability insurance. For this
reason the managers are quite happy to ditch (and I do mean ditch) $100’s
sometimes S1000’s of k on twenty-somethings in nice suits who type really
fast all the time and come in really early and work really late and whom are
led by a “senior partner” who looks and sounds as slick as Richard Griffin
but may not have quite as much going on upstairs, or more precisely, has the
consulting fees he’ll earn for “the firm” going on mostly upstairs and
secondly a small amount of concern for doing a good job on the fundamentals
that the client thinks they’re paying for.

As long as the output looks really really professional, who really gives a
damn about the actual efficacy behind the output. That’s for losers, not
senior execs. The point is that most managers in most corporates and most
govt depts are as dumb as a box of hair and this is proven by the fact that
when said consultant’s senior partner presents “the findings” they normally
don’t even understand that they could have got the same answers had they
wandered down the hall and talked to the staff who do the actual job(s) in
question, it’s just that they wouldn’t have got the excellent powerpoint
presso. And they sign off on said $100’s of k or even said $1000’s of k
without another thought, even with a smile and a congratulatory handshake and
sleep well at night, thinking the money they have just spent which now can’t
be spent on anything actually productive was well spent.

And so it looks to me like, because politicians are mental
“shoot-from-the-hip” idiots and govt CEO’s are sycophantic gutless idiots who
wish only to cover their own butts, we the taxpayer will pay almost certainly
not 100’s of k but rather 1000’s of k, for nothing. At a time when the GFC
continues to hit hard, unemployment is dire, confidence is dire, every cent
counts, and we have a conservative govt in power.

I’d call it a circus, but in a circus, they have trained animals.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 6:42pm

* NIGGLY

@ Reid. Not really sure why you think the idea is dumb – after all its’ a
review and apart from the cost to conduct a review, the real expense will be
following through with the recommendations.

Anyway what I think is really dumb is the political games now being played
out. I hope you were fortunate enough to miss Meteria Turei’s whining
dribbling rant about how Paula Bennet “doesn’t care” about Winz clients and
she is blame for all this. Awwwwwwwww! Talk about kindergarden age child
logic sheesh. Now we have Labour’s Jacinda on her pony wagon going on about
how she had concerns years ago. Y’know, nevermind Ira Bailey, he may have
been a fall guy, but looks like Labour + Greens have been taking a keen
interest over a period of time to see this all fail, makes one wonder whether
they had their own activist IT types probing the system’s weaknesses and then
set up these others to find the hole and report it to the media????

* 0 0
* Log in to Reply
* Report
* October 16, 2012 6:42pm

* TOAD

@Reid 6:42 pm

Thanks for that sensible and well-reasoned comment. I’ve often been critical
of your comments, but don’t often get a frank acceptance of that which can’t
be contested from right wingers on KB when their elected politicians are
under serious attack for serious failures.

Have to also admit some on the left also not that good in that regard – Clark
should have sidelined Peters as soon as the Owen Glenn donations issue came
out & David Benson-Pope should have been dumped much earlier than her was.

And we should all be gunning for #JohnDotBanks.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 7:02pm

* REID

@ Reid. Not really sure why you think the idea is dumb – after all its’ a
review and apart from the cost to conduct a review, the real expense will be
following through with the recommendations.

niggly you can’t boil the ocean, it takes too much energy, plus it won’t work
anyway since there’s not enough energy available in the whole world, so don’t
even bother embarking on the endeavour. That’s my point.

To identify every single security risk presented by every single
public-facing IT system is boiling the ocean. This is what Key has asked the
govt CIO to do. Based on a point situation in a point govt dept which may or
may not be widespread.

Correct me if I’m wrong, but this is mental. Is it not. Would it not be
better to broadcast internally to govt IT security experts the root causes of
why this MSD failure happened, and instruct the CEOs of all govt depts to
make sure their IT depts take this on board on all current in future
public-facing projects? Wouldn’t that be a more efficient way to make this
problem go away and never ever rear its ugly head again, which is the whole
point of the exercise?

* 0 0
* Log in to Reply
* Report
* October 16, 2012 7:04pm

* REID

toad @ 7:02 thank you for that. I agree we don’t often see eye-to-eye which
has over the years resulted in lack of engagement between us on the issues.
I’ve wondered if that’s because of my online lisping and swearing which I
admit is forthright and often, offensive.

Personally this lack has been a regret for me albeit understandable. However
you’re amongst the most astute opposition on this forum along with people
like Ryan Sproull and I enjoy engaging with people like you, not to defeat or
because I rate myself, but so I can be learned.

Many conservatives here also, as I hope you’ve observed, have no time for the
shall we say, less salubrious aspects of the 5th National govt, even though
they like I, may or will probably vote that way next time – I certainly will
I can’t speak for them. But I suggest for all of us in this group, it is the
truth which counts, and truth doesn’t have an ideology.

I can’t promise toad I won’t continue my use of the less “conventional”
communication techniques but can I ask please, look straight through that and
focus on the message, because AFAIK, all my messages seek the truth, as I see
it, and if I’m wrong, how will I recognise that if people like you don’t
explain it to me? If you happen to be arsed at the time

* 0 0
* Log in to Reply
* Report
* October 16, 2012 7:41pm

* HJ

Wikipedia:
A moral economy, in one interpretation, is an economy that is based on
goodness, fairness, and justice. Such an economy is generally only stable in
small, closely knit communities, where the principles of mutuality — i.e.
“I’ll scratch your back if you’ll scratch mine” — operate to avoid the free
rider problem. *Where economic transactions arise between strangers who
cannot be informally sanctioned by a social network*, the free rider problem
lacks a solution and a moral economy becomes harder to maintain.
……………….. that’s why we need people like Bailey to make everyone’s details
available rather than cover for them (as the Green Party does).

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:12pm

* KEVIN

Yep you could have seen a bit of “happy mischief ” if a less than moral
rightie had got hold of those files eh.

I don’t understand why anyone would still vote for national.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:36pm

* REID

I don’t understand why anyone would still vote for national.

Because they’re simply the best Kev. Better than all the rest.

Yes I know.

Pathetic, isn’t it.

Perhaps it’s because we’re all trying to emulate eventually in our later
years becoming a big, fat, helpless bird that can’t fly and get’s picked on
by all the small furry forest creatures. As I’ve said before, our national
symbol should be the Haast Eagle and Country Calendar should be filled with
stories of our great national emblem landing on the backs of Moas and simply
tearing them to shreds, symbolising at last the great nation we could become,
if and when someone (like Winston maybe?) finally, finally, at last, get’s a
bit of vision.

Then we’d learn em. And if not now, then when?

* 0 0
* Log in to Reply
* Report
* October 16, 2012 9:48pm

* HJ

people vote national because of the Great Divide (refs Australia but is same
here):

“In a book initially published in 1988 called Ideology and Immigration , she
demonstrated how race, immigration policy and the concept of multiculturalism
had combined to produce a set of ideas that had caused a new and fundamental
division with Australian society. She showed this ideology had created a
‘great divide’ between the intellectual class and the majority of the
population. Intellectuals, who mostly worked for universities and the public
service, had endorsed a set of values that won the ear of the then Labor
government and the news media. They established a terminology that soon
became the only publicly acceptable discourse on the topic. Although they
professed their motives were social justice and political progress, the same
intellectuals held an overt contempt for the majority of Australians, who
they thought remained mired in materialism and shrouded in xenophobia. Betts
argued that the cultural outlook of these intellectuals was so different to
mainstream Australia that they constituted a ‘new class’. Her thesis was
subsequently publicised by a number of conservative media commentators and
its accuracy was even grudgingly admitted by some on the left. Her analysis
was proven accurate when the despised majority took their revenge in the 1996
election by subjecting Paul Keating to the greatest electoral defeat of any
Prime Minister since Federation.”

//
Opposition to both the Vietnam War and White Australia forged the links
between the new identity and support for immigration. ‘For some activists,’
Betts writes, ‘parochial Australians and their cherished way of life came to
be seen as the problem common to all these causes, and immigration diversity
as the universal solution. Racism provided the key.’ Their assumption was
that old or parochial Australians had supported White Australia and the
Vietnam War because of their racist beliefs. The same fault, combined with
the inane materialism of their outer suburban lives, purportedly prejudiced
them against immigrants. ‘An active celebration of diversity, and further
immigration might cure them but, even if it did not, these policies would
make it clear that the new class would not tolerate parochial sentiments and
that they would make the most of every opportunity to confront them.’ [8] Any
politicians who might have doubts about the policy, especially those from the
Labor Party trying to retain their old constituency, were isolated and
ridiculed by a supportive news media, and identified either with old men from
another era, like Bruce Ruxton and Arthur Tunstall, or with extremist fringe
groups. Aspiring members of this in-group soon realised that correct views on
race and the composition of the migrant intake were essential badges of
entry. To question immigration was to step outside the circle of
acceptability. In 1972, the foreign correspondent Bruce Grant returned to
find ‘an air of unreality’ surrounding the whole question. ‘The governing
elite pre-empted the issue and made ordinary Australians feel that to be
racially intolerant was to be unfashionable, even unpatriotic.’ [9]

In Canberra in the 1960s, a small group of sociologists and social policy
researchers had decided that migrants from non-English speaking backgrounds
were not doing as well as they should. No immigrant political identities had
emerged within the major political parties and migrants seemed to be
disproportionately represented on the lowest rungs of the socio-economic
ladder. Even though this was an outcome to be expected, indeed inevitable,
for the early stages of any large-scale program of immigration to another
society, it was defined as a social problem. A research industry, funded by
both governments and universities, soon emerged to confirm immigrants’ status
as victims. Although their findings were usually loaded and migrants to
Australia actually progressed better than they did in most countries, they
took the field unchallenged. [10] The group, whose activities have been
analysed in another landmark work of Australian social science, The Origins
of Multiculturalism in Australian Politics by Mark Lopez, decided that the
then official policy of assimilation was the cause of the ‘problem’ they had
uncovered. [11] Their initial response was soft multiculturalism, with its
call for tolerance and respect of the migrants’ origins. But in the climate
of opinion in the radical Sixties, the analysis soon found that it was not
merely the attitude of Australians that was the problem but the very
structure of the host society. The academic Marxists who emerged to join this
burgeoning movement predictably found Australia was exploiting its migrants
and that their position would not improve without structural change. They
helped shift the conceptualisation of the issue from assimilation, the idea
that the migrants should change to fit Australia , to multiculturalism, the
notion that Australia should change to fit the migrants. Hard
multiculturalism was born.
http://www.sydneyline.com/Multiculturalism%20sociology%20of%20shame.htm

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:10pm

* REID

hj you don’t need screds (though I should talk). But IMO people vote National
because they’re conservative.

People as they grow older are more conservative because they have more to
conserve.

Simple. As. That.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:20pm

* HJ

Herman Daly on the environmetal movement:

“Demographers and economists have understandably become reluctant to
prescribe birth control to other countries. If a country historically
“chooses” many people, low wages, and high inequality over fewer people,
higher wages, and less inequality, who is to say that is wrong? Let all make
their own choices, since it is they who will have to live with the
consequences.
But while that may be a defensible position under internationalization, it is
not defensible under globalization. The whole point of an integrated world is
that these consequences, both costs of overpopulation and benefits of
population control, are externalized to all nations. The costs and benefits
of overpopulation under globalization are now distributed by class more than
by nation. Labor bears the cost of reduced wage income; capital enjoys the
benefit of reduced wage costs. Malthusian and Marxian considerations both
seem to foster inequality. The old conflict between Marx and Malthus, always
more ideological than logical, has now for practical purposes been further
diminished. After all, both always held that wages tend toward subsistence
under capitalism. Marx would probably see globalization as one more
capitalist strategy to lower wages. Malthus might agree, while arguing that
it is the fact of overpopulation that allows the capitalist’s strategy to
work in the first place. Presumably Marx would accept that, but insist that
the overpopulation is only relative to capitalist institutions, not to any
limits of nature’s bounty, and would not exist under socialism. Malthus would
disagree, along with the post-Mao Chinese communists.,; I confess that my
sympathies lean more toward Malthus, and that I lament the recent tendency of
the environmental movement to court “political correctness” by soft-pedaling
issues of population, migration, and globalization.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:21pm

* ALAN WILKINSON

@Reid, you are correct in all of your description @16:42 except that the CEO
is not always stupid. Some at least simply know that is the game they have to
play so that all requisite butts are protected. Of course those are the ones
who have made sure that they have managers and staff who actually know what
they are doing and talking about so are not likely to be involved in cases
like this. A department like MSD will have its own internal audit section,
but in my experience it was pretty useless anyway.

The other thing you missed out is that the Big Six report is basically taken
off their shelf with the local info filled in by the hired gun – and is
largely a sales pitch for the next job – another report or the remedial
project.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:49pm

* KEA

> I lament the recent tendency of the environmental movement to court
> “political correctness” by soft-pedaling issues of population, migration,
> and globalization.

I also lament that tendency. They appear more interested in politics than the
environment. A fact observed by many of the environmental movements founding
fathers, who have seen the likes of Greenpeace over run by political zealots.

It is easy to raise support (& money) to save cute faced Harp Seals, Dolphins
and other charming creatures. It is not so easy to sell the idea of not
having kids. Most folk will nod their heads and agree population control is
needed. Now try telling them they can not have baby and see the reaction. The
fact is that having kids is the single most damaging thing you can do to the
environment. No amount of hemp shopping bags and Pirus driving will change
that.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 10:52pm

* SJP

David Farrar, I know you’ll want to correct this error as soon as possible:
The article you have linked to on stuff has a mislabeled photograph. Neither
of the people in the photo are Ira Bailey. And he’s not mentioned in the
article. And there is no other evidence on the internet, to my knowledge,
that he seeks publicity. And that’s just one redundant point of many you have
made here, one that is easy to debunk. If you want to double check, compare
the photo with pics of Ira and/or his identical twin. C’est tout.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:10pm

* ALAN WILKINSON

Reid @16:10, according to the Herald it is Rennie who ordered the all-dept
security review, not Key.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:22pm

* KEVIN

Thanks for the comments I appreciate it. I wish lefties would be as honest as
to why they vote as they do. The problem is every party has skeletons in the
closet that makes,it repugnant for me to vote for them.

National are too close to iwi and never gave the promised tax cuts. They are
up to their 90s tricks of big government business as usual. Remember they
brought in much of the paranoid human rights legislation that we still,suffer
from.

* 0 0
* Log in to Reply
* Report
* October 16, 2012 11:56pm

* NIGGLY

@ Reid. I get where you are coming from and agree to an extent but not
totally. Eg in theory a top down directive should work but in practice it
won’t so a full independent audit is needed.

Any top down directive risks any incompetent department(s) not carrying out
the recomendations properly (as said incompetent manager/staff member may not
prioritise due to other work demands or not carry out effectively etc).
There’s also no consistency nor whole of govt stocktake of the situation,
also meaning mistakes could continue to occur.

The Govt needs to reassure the public (and sure enough the media and
opposition parties) that the issues are being addressed throughout the entire
public service.

Make no mistake, what Ira Bailey came across, the top level accessing of
sensitive data could be replicated by others, including criminal elements,
unethical hackers and potentially there’s no reason why such data couldn’t be
sold off to foreign interests. Or have malware introduced. This may have
already happened – so this is serious shit and the Govt needs to ensure all
public systems are secure (and looks like the entire MSD computer network and
workstations need to “rebuilt” from scratch in case they were compromised).

http://podcast.radionz.co.nz/ckpt/ckpt-20121016-1807-massive_breach_of_security_at_the_msd-048.mp3

Ok I listened to the Checkpoint audio of Ira Bailey and I will say this:

On the good side: He has been helpful in explaining to the Privacy
Commissioner what he did and what he saw, in the interests of (hopefully)
preventing this happening again. I hope he remains cooperative if asked to
discuss with Govt auditors or even the authorities if required – this will be
a good test for him and us to judge his “honesty” in this affair, I mean he
ceertainly sounded sincere on Checkpoint.

On the questionable side. He hasn’t explained (nor been asked by the media)
exactly why was he in WINZ and inserting a USB in the first place! Why?
Perhaps he had heard about the flaw and curiousity took hold. But if so, how
did he know to check? How did he hear about the flaw?

In his own words he discovered the problem two Friday’s ago (Newtown WINZ)
and double checked on Monday (Willis St WINZ). Informed WINZ that day (good)
by leaving message with number and name, it seems waited until Tuesday and
contacted Keith Ng (hmmmm). On Wed he was contacted by WINZ/MSD had a chat
about being rewarded and when told he can’t, he didn’t want to divulge
further details such as location or description of problem i.e. kiosks and
what he could see (because he said he wanted Keith Ng to break the story,
which happened Sunday – another hmmmmmm, this isn’t a good look).

Also on the questionable side is that in a system admin role one would see
sensitive data all the time but in this case he knew about a flaw and didn’t
disclose any meaningful info to WINZ to remedy, instead talked to a blogger
which is a little at odds with the ethics of his system admin role.

As for dissing John Key, this issue absolutely nothing to do with him or his
management style, that part of your comment I disagree with, it also plays
into the hands of the likes of Toad, who like the Greens and Meteria today
are using the issue to attack the PM and his Minister’s, ignoring the real
“victims” (WINZ clients) and not addressing the security ramifications. Amd
these amateurs think they want to Govern one day?

* 0 0
* Log in to Reply
* Report
* October 17, 2012 1:00am

* MARK

Niggly I think it is fair to assume that Ira Baily was there to make
mischief. Whether it was illegal is for others to decide but it is very hard
to imagine that his motives were positive. But that is exactly why we have
internet security, to stop those who should not have access to data getting
to see it. The realiy is if everyone was as honest, as we all obviously are,
then the security would not be necessary.

So the issue here is not at all about Ira Bailey or Keith Ng. The fault lies
squarely at the feet of MSD with some collateral responsibility falling at
the feet of their consultants and advisers. From a political responsibility
perspective the risk for the government is that the oposition can draw the
dots between the expenditure cuts and doing IT security on the cheap. That is
a tenuous argument at best but the crap will be thrown and some disquiet will
stick for some of the public.

Niggly as for the opposition “dissing”the PM and national I agree that it is
hardly Key’s fault but that is politics and it is the job of the opposition
to fire as much crap at the Government as they can to have people asking
questions. Of course they are going to be directing as much criticism at Key
as possible as he has been the difference between national winning and losing
the last two elections. It is hard to imagine that National would not be
using exactly the same strategy if the roles were reversed. Whether the
voters are gullible enough is another matter however most will beleive what
suits their political bias.

In the mean time Key is taking the right approach. Fix MSD but also review
the whole public sector data security. That in itself must be a huge task and
hopefully the review is not a superficial one.

* 0 0
* Log in to Reply
* Report
* October 17, 2012 6:01am

* LEE C

So we’re not going to shoot the messenger, just blindfold, him, stick him
against the wall with a fag in his mouth, in front of a firing squad until we
can. . .

* 0 0
* Log in to Reply
* Report
* October 17, 2012 6:32am

* NIGGLY

@ Mark – all good points, I wouldn’t disagree.

As for the PSA (and no doubt Labour when they wake up) will target budget
cuts and security and say they are related. To which I’d say BS – security is
paramount, it’s an area that must be top priority (so why this happened at
MSD is beyond comprehension – massive fail), there’s always room for budget
cuts eg not sure what you see, but I see too many staff (IT and non IT esp
middle management) all with the latest expensive Apple i-gizmos and knowing
IT, they are a law into themselves wasting massive amounts on piss poor
projects, which are hushed up within house. Perhaps Brenda Pilot could
comment on that!

* 0 0
* Log in to Reply
* Report
* October 17, 2012 8:28am

* ED SNACK

Can anyone point to a description of what the actual security flaw was ?

* 0 0
* Log in to Reply
* Report
* October 17, 2012 3:46pm

* ALEX MASTERLEY

Ed,
I have been waiting for that.
I doubt that we will find out as the white noise about the existence of a
flaw rather than what it actually is will drown everything else out.

* 0 0
* Log in to Reply
* Report
* October 17, 2012 3:49pm

ADD A COMMENT CANCEL REPLY

« General Debate 16 October 2012
Idiot »

DONATIONS

You can now donate to Kiwiblog

EXCLUSIVE CONTENT FROM DPF ON PATREON

HIGHLIGHTS

* The Kiwis are fleeing
* Inflation by term
* Houston we have a problem
* Our immunisation disaster

www.kiwiblog.co.nz Open in urlscan Pro 203.114.129.100 Public Scan

Form analysis 4 forms found in the DOM

GET https://www.kiwiblog.co.nz/search

POST https://www.paypal.com/cgi-bin/webscr

POST #

Name: form-test — GET

Text Content

www.kiwiblog.co.nz Open in urlscan Pro
203.114.129.100 Public Scan

Form analysis
4 forms found in the DOM