OnPoint: The Source
217 Responses
First ←Older Page 1 2 3 4 5 … 9 Newer→ Last
-
Vulnerability Rewards aren't uncommon. Many (most?) big internet companies will offer them (some are advertised, some are not) as will many other businesses.
The idea being that a security vulnerability is probably worth money to someone. If you offer some reward to people for reporting them to you it's less likely people will try to profit from them in some other way.
Had I discovered it I may have handled things the same way that Ira did (well actually I'd probably have publicised it personally rather than going to Keith) - see if MSD wanted to reward my help, otherwise detail the problem (while giving MSD a reasonable heads up) publicly.
The ways of handling vulnerability reporting are a constant point of contention among the IT security community. Most adopt a "disclose and publish" approach where they tell the affected organisation then some time later publish the details. But some will just publish. Others will basically sell the information into the "black hat" world.
-
Suggest you read again Keiths post, toubles his word
-
Heh. Been searching for data on my files and found this topical quote:
“"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.”
Rich Cook
Keith you idiot !!!!! -
insider, in reply to
Sure bear. Read the second last line of Keith's post - "But asking to be compensated for his troubles is not unreasonable, either. "
-
andin, in reply to
Read the post would you.
He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it’s certain not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.
-
insider, in reply to
Read the post to the end would you
-
Trevor Nicholls, in reply to
My bad. In context informing the MSD was taking trouble to do the right thing - it's not as if there weren't more lucrative options around. (By the way, do you know how much effort it takes to have a serious conversation with a government department?!)
-
Seems to me the most responsible thing for Ira to have done after such a lacklustre MSD response would have been... to tell Keith Ng.
-
Islander, in reply to
Ae!
-
FiFi, in reply to
No it's not blackmail. In fact they (winz staff) try the same tricks when they are in the wrong and don't want to be exposed. I have first hand experience of that. Besides these things don't happen by accident they happen for a reason. Seems like sweet justice for Ira for the wrong doing inflicted on him by a government department.
-
Yes, nothing new this is again. The oooh so loving and caring 'Crown' (acting in the form of the government and its agencies, departments and ministries on its behalf) always "cares" for us, and treats us in absolute "good faith" all the time, aye?
They expect a common citizen to come and sort their problems out for them, free of charge, while we get presented user charges, fees, penalties and whatsoever, when we ask for something, need something and in some case fail to deliver.
Also WINZ swiftly comes with sanctions, arrogantly demand full disclosure and more, when clients deal with them, being the weaker, often legally illiterate party. Yet when we seek transparency, accountability and service delivery and integrity, then they treat many of us with contempt, fob us off and "shit" on us.
I am appalled, yet again, about the arrogance and two facedness of WINZ and MSD. They show how much they care in the following story and case too:
http://www.odt.co.nz/news/dunedin/229829/beneficiary-fighting-court
"We are there for you and want to ensure you get the support you need", something along those lines is their ususal propaganda!
BS through and through!
Take a stand and confront them, liars!
-
FiFi, in reply to
Well spending money on making sure their systems work would be out of the question, because it might dip into their christmas bonus money and we can't have that can we.
-
FiFi, in reply to
Isn't it amazing that they can spend so much tax payers money to fight decisions they don't like but when it comes to giving people what they are entitled to they come at you with this savings BS.
-
Keith Ng, in reply to
By the way, do you know how much effort it takes to have a serious conversation with a government department?!
Well I could tell you how much money it *costs* to have a conversation with a government department... except the Privacy Commissioner would waterboard me.
-
Troubles? Yes he must've worked so hard to plug in his USB drive. Heaven forbid that his drive not appear (at least geni got that far), he sticks his nose where it shouldn't have been able to get to. How bitter do you have to be, when finding a breach in "national security", that, upon realizing you weren't going to be paid for your "troubles" you felt the need to go behind the back of MSD and break this story.
And to the Urewera saga. A simple definition of terrorist: a person who terrorizes or frightens others. Discharging a shotgun around a large crowd, that frightens the shit out of me. To think it is ok, disgusting.
-
FiFi,
This article was really disturbing
Winz manager sacked after bar fight with client
http://www.nzherald.co.nz/winz/news/article.cfm?o_id=247&objectid=10804728
-
Islander, in reply to
And to the Urewera saga. A simple definition of terrorist: a person who terrorizes or frightens others. Discharging a shotgun around a large crowd, that frightens the shit out of me. To think it is ok, disgusting.
Report Reply
Ben Masters -your intellect is sort of on the level of a paua - cling on to the same old same old and never question anything-
I normally welcome people to PAS (as do all longterm PAS people) BUT
do you actually understand the ramifications of anything you said? -
papango, in reply to
How bitter do you have to be, when finding a breach in “national security”, that, upon realizing you weren’t going to be paid for your “troubles” you felt the need to go behind the back of MSD and break this story.
I'm not really convinced by that to be honest. It looks to me like he asked at MSD and got a pretty slack response. Which doesn't surprise me because the chances that he was actually allowed to speak to someone in IT who understood the problem are nil, at best. They didn't think they had a problem and they weren't interested in listening to someone tell them they did.
-
FiFi,
The dept mess ups that just keep giving
Too old, Winz tells mum, 42
http://www.nzherald.co.nz/winz/news/article.cfm?o_id=247&objectid=10840371
You know after the hassles I have had with them lately I am feeling a sense of sweet justice as well. I was hoping to find a journalist to write a report with me but I haven't been able to find one yet.
-
classic Lift Pitch endings...
... and found the giant vulnerability instead.
There has to be a kids book in that
or some kinda kidult blend...
dibs on.... -
Dylan Reeve, in reply to
How bitter do you have to be, when finding a breach in “national security”, that, upon realizing you weren’t going to be paid for your “troubles” you felt the need to go behind the back of MSD and break this story.
Breaking the story is pretty much the norm. Even with most vulnerability reward programs the person reporting the issue is still allowed (in some cases encouraged) to publicly report it however they wish - the only limitation is timing.
Sure, he could have just told someone at MSD about the issue, although according to news reports today someone had already tried that. Instead by telling a journalist he made sure the problem would be properly addressed and the MSD still got advance notice so they could mitigate immediate damage.
Nothing Ira or Keith did here is improper or unreasonable. Had MSD (or NZ government in general) been operating a vulnerability reward system the only thing (hopefully) that would have changed here is that MSD would have got more details sooner, but everything else should have remained exactly the same.
-
As an aside to all this I think the NZ Government should establish an IT advisory group that can co-ordinate with any and all government IT departments on issues like this and that group should institute and publicise a Vulnerability Reward program. The data we're talking about is just too important to rely on the hope that "good citizens" will report whatever they find and that random IT departments will act appropriately.
-
FiFi, in reply to
And government departments don't terrorize people with their threats and ill treatment? What do you call what this government is doing to people, it is a form of terrorisom disguised as law.
-
Well said Dylan Reeve. I heartily agree. It should not be beyond the wit of the collective expertise - and I mean within the Govt orgs - to disappear to a hideout for a week or two to devise systems that are useful to Govt and more importantly the citizenry of our fair country.
Why do we insist each org has to have its own?? And it seems that Brendon Boyles previous lives may be just the ticket to finish what the Govt started.
Lets do it Folks!!
-
papango, in reply to
You'll laugh (or cry, or both), but we actually already have one. The New Zealand National Cyber Security Centre is an actual thing. It's got strategy documents and forms and an info security manual that runs to 297 pages. You'll be shocked, shocked!, to learn that they are ignoring this and hoping nobody asks what it is they do again or why we're paying for it.
Post your response…
This topic is closed.