Ira Bailey

Bennett’s office in the clear

Keith Ng, The Greens, Labour and assorted proxies all accused Paula Bennett’s office of “leaking” the name of Ira Bailey to the media. Documents obtained under the Official Information Act show that simply isn’t true.

They also show why the initial search for possible breaches failed to detect the vulnerability and it relates to the details publicly available about Ira Bailey.

Once the Chief Executive of the ministry notified the minister of the details on 10 October a staff member did a search and came across his LinkedIn profile. The organisation Ira Bailey works for is apparently an accredited training provider and so the Ministry checked which systems they had access to.

They did this based on the scant knowledge that had been provided in his initial phone call to the Ministry. The emails also reveal that his initial phone call was not recorded.

A subsequent contact was made with Ira Bailey on 10 October. No further information was garnered from that phone conversation.

The ministry remained in the dark, and as one of our largest would have had no idea where to even start looking. Ira Bailey simply didn;t provide enough information or was unwilling to once he found out he couldn’t shake them down for cash.

He instead decided to go to the media and his left wing pal and former Clark office staffer Keith Ng. Far from being the honourable whistle blower it is clear that he gave them next to nothing other than his name and a claim that he had penetrated the systems and that he had spoken to media.

This paints a somewhat different picture than that which Keith Ng would have us believe.

The minster’s office then has to deal with allegations that they “leaked” his details to the media, the emails show that these allegations are untrue. They were more concerned with ascertaining precisely the details of the systems breach.

It would appear that Keith Ng ratted out his source on a paranoid assumption based on a phone call from a proper journalist. Keith Ng named his source, and yesterday he named his hacker pal as well. People will start to wonder whether or not it is worth the risk of ever speaking with him again if he continually rats out his sources.

I must also point out how quickly the request was turned around. I asked this request on Thursday and received the results at 6pm yesterday. Normally government departments and politicians use 20 days as a target timeframe despite information being to hand. In this case it is apparent that the information was to hand, and because I confined the request to a small timeframe and specific details was able to be provided in a timely manner. I think Paula Bennett’s office ar to be commended for that.

The full copy of documents released are below.

Ministry of Social Development – OIA 18 October 2012

Labour can hardly comment on data security

I find it highly ironic that Labour is going on about sensitive data security:

Is Labour asking Keith Ng and Ira Bailey to handover or delete the files.. no…they’re making political capital out of them. Remember when they had their own data breach…at that time Labour threatened and blustered and attacked the person who breached their security, such as it was.

While Labour, the Greens and left wing blogs all stick up for Keith Ng and Ira Bailey, I do wonder how things would have panned out had it been revealed that it was me who found this data breach, and that I took files and that I or my source asked for money. I know exactly how it would have panned out… because Labour did it to me.

They accused me of hacking, they laid complaints against me with the Privacy Commission and wrote threatening letters. The whole saga is summarised here.

A little legal problem for Keith and Ira

Contrary to what David Farrar thinks I think Ira Bailey and Keith Ng have a little problem.

The Register certainly thinks so:

Ng himself, however, has come under criticism for his voracious appetite for grabbing files to prove his point. As his blog post shows, Ng took a look at files for contractor invoices, hours worked, medical information, debt collection, fraud investigation. He notes that “I sorted through 3,500 invoices … about half of what I obtained”.

While demonstrating that the network was unsecured represents a considerable service to the public, not knowing when to stop has probably put the blogger well on the wrong side of the law. Over atNational Business Review there’s some lawyerly punch and counterpunch about whether, in fact, Ng went so far he’s at risk of jail under New Zealand’s Crimes Act, even though “prosecution guidelines meant action was unlikely to be taken”.

And the relevant legislation:

Crimes Act 1961

249 Accessing computer system for dishonest purpose

(1)Every one is liable to imprisonment for a term not exceeding 7 years who, directly or indirectly, accesses any computer system and thereby, dishonestly or by deception, and without claim of right,—

(a) obtains any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) causes loss to any other person.

(2) Every one is liable to imprisonment for a term not exceeding 5 years who, directly or indirectly, accesses any computer system with intent, dishonestly or by deception, and without claim of right,—

(a) to obtain any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) to cause loss to any other person.

(3) In this section, deception has the same meaning as in section 240(2).

Is it blackmail?

There are many out there calling Keith Ng and Ira Bailey whistle-blowers.

I don’t think that is a fair call to label them as such.

Still others are calling it blackmail, but is it?

Well let’s look at this quite simply.

Ira Bailey, who has a less than honest background, is an employed system administrator and just happens to have some spare time to spend down at the local WINZ office. I don;t know about you guys but I know precious few employed people who willingly spend even a nano-second contemplating spending time in a WINZ office let alone as Keith Ng portrays it, having “half an hour to kill at a WINZ office”.

He then stumbles across some sensitive data and instead of saying something he downloads some copies then buggers off. He calls up WINZ and asks if he can get paid of he tells them where a systems breach is.

When they don’t reply in his timeframe he trots off to his lefty mate, former Helen Clark staffer Keith Ng, who conveniently puts him in touch with a hacker.

Meanwhile WINZ gets back and says that they don’t pay for information. Ira Bailey then says oh that’s alright I’m talking to a journalist.

Several days later after explaining or showing Keith Ng how to do what he did they publish it all on line and create a mass of publicity.

So is this blackmail?

Well, answer this…Had Ira and/or Keith being paid a “consulting fee” would the story have run?

Of course it wouldn’t have…the loophole would have been closed, no one would have said anything and everyone would have been none the wiser. Instead we have this…now I ask again…Is this blackmail?

If it isn’t blackmail it certainly seems to be a new business model whereby you work with a hacker, nick some data, ask for a “reward”, then when told to nick off you publish it and ask for “donations”.

Tagged:

Doesn’t want the media limelight?

Keith Ng says that he reluctantly named his source…I mean who does that anyway…that is another story…because he “isn’t interested in being the media limelight“:

So. The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He currently works as a system administrator, has a young child, and is not interested in being the media limelight. That’s why he asked for anonymity.

Yes here he was in 2009 actively seeking the limelight:

Environmental activists intend to block roads and enter buildings in Wellington in an attempt to demand immediate action on climate change.

Camp for Climate Action Aotearoa will set up a camp in Upper Hutt next week, aiming to attract about 250 protesters.

Participants Claire Dann and Michal Lelen said direct action was one of the camp’s four main aims.

Ms Dann said: “When we’re talking about climate change, the urgency warrants direct action.”

Action would include street theatre, road blockades and entering buildings, but non-violence would be a bottom line.

 

Who is “we”?

Keith Ng mentioned “we” constantly in his interviews today about his penetration of MSD servers.

This is interesting considering the latest developments.

Mr Boyle said the ministry was contacted last week by a man who said their systems weren’t robust and he would cooperate if there was a reward.

“While he wouldn’t provide any details we asked KPMG to begin penetration testing at this point and this testing has been accelerated and intensified. He did indicate he was working with a journalist,” said Mr Boyle.

This has all the hallmarks of an extortion bid not unlike the ACC affair where a malcontent didn’t get what she wanted and went to the media. Has Keith Ng stumbled into the midst of something more sinister?

Of course it is interesting too that Public Address is part of the Scoop Media Cartel which had their own poor security exposed by me on Friday. The exploit could just as easily have placed malicious code on Public Address.

UPDATE: Now we know who the “we” is…one of the Urewera 17, Ira Bailey.

Keith Ng has outed his source. Worse he has admitted that he has put him in touch with at least one hacker.

I put him in touch with an experienced hacker. This hacker told us that government organisations in NZ don’t really pay for vulnerability reports, and that they were likely to either respond poorly or not at all.

MSD called Ira back two days later. They told Ira that they don’t pay for vulnerability reports. Ira told them he’d been talking to a journalist and the conversation didn’t go anywhere after that.

Right, so this was no civic minded person, it was an experienced programmer, a system administrator, trying to get some coin, rejected from that attempt so shopped the story to his left wing pals in the media…interesting…if you now believe that this fellow just stumbled across a flaw in the kiosks by accident then I have a bridge for sale that you can buy.