Bennett’s office in the clear

Keith Ng, The Greens, Labour and assorted proxies all accused Paula Bennett’s office of “leaking” the name of Ira Bailey to the media. Documents obtained under the Official Information Act show that simply isn’t true.

They also show why the initial search for possible breaches failed to detect the vulnerability and it relates to the details publicly available about Ira Bailey.

Once the Chief Executive of the ministry notified the minister of the details on 10 October a staff member did a search and came across his LinkedIn profile. The organisation Ira Bailey works for is apparently an accredited training provider and so the Ministry checked which systems they had access to.

They did this based on the scant knowledge that had been provided in his initial phone call to the Ministry. The emails also reveal that his initial phone call was not recorded.

A subsequent contact was made with Ira Bailey on 10 October. No further information was garnered from that phone conversation.

The ministry remained in the dark, and as one of our largest would have had no idea where to even start looking. Ira Bailey simply didn;t provide enough information or was unwilling to once he found out he couldn’t shake them down for cash.

He instead decided to go to the media and his left wing pal and former Clark office staffer Keith Ng. Far from being the honourable whistle blower it is clear that he gave them next to nothing other than his name and a claim that he had penetrated the systems and that he had spoken to media.

This paints a somewhat different picture than that which Keith Ng would have us believe.

The minster’s office then has to deal with allegations that they “leaked” his details to the media, the emails show that these allegations are untrue. They were more concerned with ascertaining precisely the details of the systems breach.

It would appear that Keith Ng ratted out his source on a paranoid assumption based on a phone call from a proper journalist. Keith Ng named his source, and yesterday he named his hacker pal as well. People will start to wonder whether or not it is worth the risk of ever speaking with him again if he continually rats out his sources.

I must also point out how quickly the request was turned around. I asked this request on Thursday and received the results at 6pm yesterday. Normally government departments and politicians use 20 days as a target timeframe despite information being to hand. In this case it is apparent that the information was to hand, and because I confined the request to a small timeframe and specific details was able to be provided in a timely manner. I think Paula Bennett’s office ar to be commended for that.

The full copy of documents released are below.

Ministry of Social Development – OIA 18 October 2012

  • Whafe

    Great work once again Cam, once again it shows that the left are nothing but a Cluster Fuck….

  • Gazzaw

    What is puzzling me is how Bailey knew that there was a flaw in the system that he could exploit in the first place. You don’t just randomly walk into an organisation armed with a memory stick in the hope that you can download confidential information. Who inside the MSD tipped Bailey off about the vulnerability in the system? What was Bailey’s motive? A quick buck or to embarass the Ministry or both?

    • Mediaan

      Well done, Gazzaw!

    • http://ferrouswheel.me J P

      Anybody that knew anything about computer security would realise the flaw was there pretty quickly.

      The flaw has been around since the kiosks were deployed. I have a friend who had reported the issue over a year ago during usability testing of kiosks. They did nothing about it.

      You guys are acting like it’s a l33t hack. It’s not, it’s a gaping security hole and god knows how many people have compromised the entire system before this made it to the press.

    • AnonWgtn

      It is very possible that a MSD/Winz staff member knew the flaw and as expected passed this info on to Bailey in the anticipation of embarrasing Bennett.
      I have heard from a friend in Winz that among mostly female staff that they hate Bennett irrespective.

  • cows4me

    Just fucking pinkos doing what pinkos do best, blackmail, extortion etc.

    • Gazzaw

      Yes, but this has the hallmark of being an inside job. Someone on the staff or an outside contractor with access to the system has spotted the security flaw, given Bailey or whoever he is working with the nod & it’s all on to either embarass or extort the MSD. The whole scenario is just too pat to be believable. A PSA/labour dirty trick maybe? Possibly even the greens know something. Draw your own conclusions.

      • GregM

        Tend to agree Gazzaw. I always thought it odd that an employed person would just wander into a winz office armed with a usb stick. I’m smelling a rat too.

      • http://ferrouswheel.me J P

        Inside job? You’ve got to be kidding, this was a completely ridiculous security flaw. I know several people that also knew about it, some told WINZ a year ago during usability testing of the kiosks, others saw it but couldn’t be bothered doing anything.

        If I had any reason to be using the kiosks I probably would laughed myself silly at the absurdity of their IT “security”.

        • GregM

          I don’t disagree with you you J P, it’s just the timing of the whole thing I find suspect. I am certainly no expert, but it seems to me they weren’t running the kiosks on a virtual platform?

      • pukakidon

        Yes you are right and these two are deviant dishonest pricks. However as has been exposed, there are some very incompetent IT support staff in government departments if this is how they are running their networks.

        This is security 101 and they have failed, dismally. At first when I heard of the access I thought the individual would have had to at least have put some effort in, but it seems that the security was so poor. No effort at all was required.

        I find it funny that the NG guy was the one doing all the squealing and ratting out his mates and when the accusations were put that Paula had leaked the information by the liars in Liarbour again he stayed very quiet. He is a loser and a political shit stirrer, right from the mold of Shearer, quite willing to lie and let others take the fall while he skulks away like a coward.

        • Gazzaw

          So if it has been that blindingly obvious PD why has it been left until now? JP claims that WINZ (or rather WINZ staff) knew about it a year ago and he may well be right. It is all too orchestrated to be random.

          • pukakidon

            You are right there may well have been lose lips from staff within and this needs to be thoroughly investigated, but I am sure if it did occur from within you will not find the rat unless Ira squeals, which I dont think he will.

            However more importantly this is symptomatic of the inept IT support staff working in Government departments. Most have been promoted from the help desk and have very little or outdated qualifications,or very poor qualifications. This is basic security and networking 101, dont connect Kiosks to the production network, these terminals should have been accessing the necessary data from the internet through a DMZ on a separate network.

            The CIO and Network Manager should be given the boot for not implementing the correct levels of security. Security In Depth, Hahahah more like security support staff out of their depth.

          • Gazzaw

            Yes you are right about inept IT support staff. I think many of us have born the brunt of inefficient systems from government departments. I don’t know the answer but we need to find it & quick.

      • anrky_al

        and why not – if they were told a year ago an failedto deal with itit then yep the sharpened stick approach will get a reaction.

    • http://ferrouswheel.me J P

      Clearly the people posting on this strange blog and commenting know nothing about computer security.

      Most professional organisations have programmes for being paid for reporting security vulnerabilities. It’s not extortion, it’s how the industry works.

      I definitiely would have gone public with such a massive compromise of the entire network infrastructure. There is no solution but starting from scratch, because anybody could have the credentials that were available through the kiosks. I know they won’t do this, but it’s incredibly worrying about the state of government IT for this to ever happen.

      “Keith Ng ratted out his source” – It was a mutually agreed disclosure. Read the facts instead of using emotive language and making shit up.

      • http://www.whaleoil.co.nz Whaleoil

        Never name your source…ever. He’ll never get another, especially as he has named his hacker pal too now

        • http://ferrouswheel.me J P

          Stop using the word “hacker”. There was no hacking necessary.

          You seem to miss my point: the Ira and Keith mutually decided to make it public. If Ira had qualms about it, Keith would not have named him.

          Personally I wish Keith would just name the journalist who claimed to know his source. Then we could ask them directly how they knew.

          • http://www.whaleoil.co.nz Whaleoil

            He already has, keep up, it was Claire Trevett, and she has been asked directly and she quite rightly refuses to name her sources….like a proper journalist.

  • blazer

    ‘Normally government departments and politicians use 20 days ‘…yes but when its good PR ,requested from a fawning sycophant ,its no surprise they cam expedite things.

    • http://www.whaleoil.co.nz Whaleoil

      You haven’t been reading my blog much have you. I’m no fan of Paula Bennett, she is altogether much too close to Murray McCully for my liking.

    • pukakidon

      You still angry Blazer because Paula and the staff have told you to get off your backside and get a jog, or is it the drug testing you are afraid of? Might have to give up the blazing of the wacky backy eh!

      • blazer

        you are not even mildly amusing.

    • http://www.mcmillan.org.nz/ Andrew McMillan

      Compare Cameron’s OIA request with mine (which was lodged on the 16th):

      Please supply me with a copy of the report (along with any applicable correspondence) regarding Dimension Data’s testing of the WINZ Self-Service kiosks.

      I got a prompt response, but not quite what I was after:

      Thank you for your email received 16 October 2012, under the Official Information Act 1982. Your request has been forwarded to the appropriate officials at National office to respond. You may expect a response to be sent to you as soon as possible.

      I expect this will take 20 days, then a complaint to the Ombudsman followed by weeks of toing and froing before I’ll see anything.

      There’s no doubt that the Ministry (along with others) abuse the OIA process where it suits. I don’t think Cameron’s request has been answered quickliy because of Cameron, rather I’d suggest that in Cameron’s case the Ministry is releasing information that it wants to be in the public domain.

      • blazer

        I agree .

  • blazer

    simple question…is it a good thing that systemic flaws have been exposed or not?

    • anrky_al

      Yes absolutely – no amount of preening spin will remove the fact the MSD were told about this previously. If it takes a modicum of collusion for the the public service and an asleep at the wheel collection of ministers to understand they have a a real job to do and not just toady about enacting the dumb and seriously lacking in rigour ideas ( Partnership Schools anyone?) then I don’t have any problem with who and what stripe the political colour is to get this sort of out in the open.

  • BJ

    My vote swings towards Ira inserting a usb for the express reason to download material he already knew was accessible. And, I think Keiths ‘proper journalist’ is fictitious so he could justify outing his source because he was feeling very uncomfortable with all the focus on him.

    While the National government continue to behave with integrity they will brush aside their enemies, good will triumph over evil and trust should increase faith in their governance.

    • AnonWgtn

      A USB can be used to insert data and infect a programme.

  • Marc Williams

    Although I agree that there was a commendable rapid response to the OIA request, there does seem to be an enormous number of “out of scope” blank spaces in the information delivered. When we are covering such a small area of interest, how come there is so much of this deleted when it was a pretty specific investigation?

    • http://www.whaleoil.co.nz Whaleoil

      out of scope of my question…not the enquiry. Feel free to ask for that information yourself.

108%