The Source

Update: A journalist called up earlier knowing Ira's name, and asked me to confirm him as my source. It was clear that somebody had given her the name, and the story was due to be published tomorrow. Sorry I wasn't clear about this in the orignal.

Update 2: *Obviously* I've been in touch with Ira this whole time. He was also contacted by the journalist yesterday, we discussed how to proceed and then I wrote this. I got his permission to write this and cleared the draft of this with him before I published this. Like, seriously - what kind of dick did you think I was?

So. The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He currently works as a system administrator, has a young child, and is not interested in being the media limelight. That's why he asked for anonymity.

He did not have any special access to the system - he just had half an hour to kill at a WINZ office. He plugged in his USB drive and it didn't appear, so he had a poke around the system to find it - and found the giant vulnerability instead.

He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it's certainly not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.

MSD didn't know what to do with his request, and it got slowly bumped up the food-chain.

Ira didn't hear back from them, so he talked to me instead. I put him in touch with an experienced hacker. This hacker told us that government organisations in NZ don't really pay for vulnerability reports, and that they were likely to either respond poorly or not at all.

MSD called Ira back two days later. They told Ira that they don't pay for vulnerability reports. Ira told them he'd been talking to a journalist and the conversation didn't go anywhere after that.

At this point, it was clear that Ira was not going to get paid for it, but that it could still be an important story. He showed me the vulnerability - the only condition was that his name be kept out of it. He wasn't interested in being in the limelight.

The rest, I've already blogged. We have since both deleted all the material from our computers, and Ira assured me it's all gone, and I've assured the Privacy Commissioner of this.

Since he called MSD and left his name and number, it was always likely that they'd out him as a diversion. We had hoped that it wouldn't get to that, but it has, which is why I'm writing this now.

Should he have reported the vulnerability, free of charge? Yeah, that would have been the selfless thing to do for the public good. But asking to be compensated for his troubles is not unreasonable, either. After all, it's not as if the people MSD ended up relying on - KPMG - did it for free.

Ross Mason, 19:45 Oct 15, 2012

Auditing costs for accountants is of the order of $450 / hour. Four letter acronym firms like this must be worth it.

This shitfest is a systems problem. Demming would say, "Sort the system out first then sort out the operators".

Upper Hutt • Since Jun 2007 • 1590 posts Report

Islander, 19:47 Oct 15, 2012

Interestinger & interestinger!
And I’d far sooner, as a taxpayer, pay you (well, I have) and Ira than KPMG – who seem to have done a lousy boj (botch/op/job)-

Big O, Mahitahi, Te Wahi … • Since Feb 2007 • 5643 posts Report

Sacha, 19:48 Oct 15, 2012

After all, it's not as if the people MSD ended up relying on - KPMG - did it for free.

And effectively being paid twice for the same work takes a special sort of skill with contracts.

Ak • Since May 2008 • 19745 posts Report

DPF, 19:49 Oct 15, 2012

Did Ira suggest a specific amount or range to MSD, as a "reward"?

Wellington, New Zealand • Since Nov 2006 • 78 posts Report

Keith Ng, in reply to DPF, 19:51 Oct 15, 2012

No. He asked if there was a system. He was expecting a set rate for vulnerability reports.

Auckland • Since Nov 2006 • 543 posts Report

Idiot Savant, 19:53 Oct 15, 2012

So, MSD are scumbags. Guess they're following the example set by their Minister then.

Palmerston North • Since Nov 2006 • 1717 posts Report

Alex Coleman, 19:57 Oct 15, 2012

Why the scare quotes David?

Don't be evil on this.

Wellington • Since Nov 2006 • 247 posts Report

Sacha, 19:58 Oct 15, 2012

Shades of Bronwyn Pullar.. #blackmail

Hilary Stace, 19:58 Oct 15, 2012

I suspect that there weren't any jobs at KPMG advertised on the Work and Income database. Pity - there are obviously a lot of skilled people without jobs out there, and many with jobs but not sufficient skills.

Wgtn • Since Jun 2008 • 3229 posts Report

George Darroch, 19:59 Oct 15, 2012

This angers me. Ira is a kind and gentle man. This act of revenge - which is all it can be described as - is entirely undeserved.

Whoever released this obviously thought they could get away with it...

WLG • Since Nov 2006 • 2264 posts Report

Islander, in reply to George Darroch, 20:02 Oct 15, 2012

Kia kaha PAS!
And, similar fora-

Sacha, 20:03 Oct 15, 2012

Any links to Mr Bailey being outed yet?

James George, 20:04 Oct 15, 2012

Well you're correct of course but that won't be how scumbag politicians and their paid liar lickspittles will paint it.
We have seen with ACC, then Kim whatshisname, that a favourite wellington media handler's ploy is to insinuate the victim is just trying to screw 'the innocent kiwi taxpayer'.
In Kim whathisname's case there has been absolutely zilch evidence that he plans on doing any such thing; that hasn't prevented the nat fanbois posing as journos on the herald et al from running stories about "How much Dotcom could sue us for".

I really feel for your source who has just got past one extended round of media/pol bashing, cause now another round is pretty much inevitable.

'we' or 'us' the humans who live in NZ should pay close attention to what happens and make sure we store away the name rank and serial numbers of those journos who buy into any such twisted nat slippery as an eel scam.
Freedom of the press should never extend to carte blanche freedom to twist reality to suit a self interested outcome.
Oh well chins up & remember what guru Malcolm said on Saturday:
"The look we're going for is solemn respect, like blokes modelling underpants."

Since Sep 2007 • 96 posts Report

Jarno van der Linden, 20:06 Oct 15, 2012

Great. Didn't they learn anything from the whole ACC saga?
Hmm, as the police considered the Urewera 17 to be terrorists, by donating money to Keith I guess I just funded an organization connected to terrorism. Yay!

Completely unrelated, I see that kiwileaks.*.nz domains are still available.

Nelson • Since Oct 2007 • 82 posts Report

barnaclebarnes, in reply to Islander, 20:13 Oct 15, 2012

And I’d far sooner, as a taxpayer, pay you (well, I have) and Ira than KPMG – who seem to have done a lousy boj (botch/op/job)-

Just a thought. What if KPMG had done a good job but after their pen testing MSD had released an update that opened up the computers to man+dog?

It will be an interesting investigation.

Auckland • Since Nov 2006 • 90 posts Report

Martin Connelly, 20:15 Oct 15, 2012

I am interested to know - if he asked for anonymity - why did you name him?

New Zealand • Since Jun 2012 • 28 posts Report

Islander, in reply to barnaclebarnes, 20:19 Oct 15, 2012

mind wobbles a bit with the considerable complications & implications - I'm just an unhumble writer - not an IT person- so I can only gag a bit, study and then -probably throw up-

George Darroch, in reply to Martin Connelly, 20:22 Oct 15, 2012

Martin, Keith did not name him. Someone at some level of the Ministry named him. This post exists because once someone is in the public eye, they deserve a right of reply; thus Keith is speaking for him.

Chris Miller, in reply to Martin Connelly, 20:25 Oct 15, 2012

Presumably they discussed it again in light of the fact that MSD revealed they'd been contacted by someone last week who'd "asked for money" and Ira changed his mind so they could get their side of the story out.

Otautahi, Aotearoa • Since Nov 2011 • 17 posts Report

simon g, 20:31 Oct 15, 2012

Just want to add my thanks and support for Keith and his source. You have done the whole country a huge favour, and I hope that knowledge will sustain you as things turn nasty.

Time to watch Homeland ... taking a break from the unbelievable reality to the more believable fiction.

Auckland • Since Nov 2006 • 1333 posts Report

insider, 20:31 Oct 15, 2012

What exactly were the 'troubles' he wanted compensating for? The trouble of Not being able to find his flash drive in the directory? The trouble of exploring msd's files? The trouble of making a phone call to ask for money?

Wellington • Since Sep 2011 • 31 posts Report

Chris Cormack, in reply to insider, 20:39 Oct 15, 2012

Like Keith said, bug bounties are a fairly standard thing, https://www.computerworld.com/s/article/9230309/Google_boosts_bonuses_for_Chrome_bug_bounty_hunters
I don't see anywhere where he wanted compensation for 'troubles'

Wellington • Since May 2011 • 4 posts Report

Islander, in reply to insider, 20:39 Oct 15, 2012

???????
Why the fuck are these questions relevant?
Please explain these to a bear of little brain - IF you are not engaged with a honey pot-

Toby, 20:40 Oct 15, 2012

Has someone actually outed him, Keith, or is this preemptive? I haven't seen any reports naming him.

pt chev • Since Mar 2011 • 27 posts Report

Trevor Nicholls, in reply to insider, 20:40 Oct 15, 2012

Curious why you put "troubles" in quotation marks when there is no reference to troubles in the original story nor this clarification.
If I was less naive I'd think you were "poisoning the well" :-p

Wellington, NZ • Since Nov 2006 • 325 posts Report

OnPoint by Keith Ng

217 responses to this post