Ira Bailey
October 16th, 2012 at 9:00 am by David FarrarKeih Ng blogs:
The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He currently works as a system administrator, has a young child, and is not interested in being the media limelight. That’s why he asked for anonymity.
Mr Bailey is not interested in publicity? This must be a recent thing, as he has sought it in the past.
He did not have any special access to the system – he just had half an hour to kill at a WINZ office.
So Bailey says he just happened to be at a WINZ office, and was bored.
He plugged in his USB drive and it didn’t appear, so he had a poke around the system to find it – and found the giant vulnerability instead.
Yeah, I plug in USB drives to computer terminals all the time.
I should make very clear that I think Keith Ng has acted entirely properly and ethically. He go told of a security breach, he investigated it, he took evidence to prove it, he notified MSD and the Privacy Commissioner, he revealed the breach and handed all the data over to the Privacy Commissioner.
I also think Keith believes what Mr Bailey has told him. I’m just slightly more sceptical of the story that an experienced system admin just happens to be bored, at WINZ, and accidentally finds it. Especially when you consider what he then did.
He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it’s certainly not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.
Yes giant global tech companies have been known to have a reward system. I’ve never ever heard of a Govt Dept having such a system, and companies that do, tend to advertise the fact. I asked Keith if Baily asked for or suggested a specific amount, and he said no.
It is unfortunate Bailey thought his “accidental” half hour discovery was something MSD should pay for and did not do what Keith did, and just alert the Privacy Commissioner and publish what happened – either directly or via Keith.
MSD called Ira back two days later. They told Ira that they don’t pay for vulnerability reports. Ira told them he’d been talking to a journalist and the conversation didn’t go anywhere after that.
I’d be interested in details of that conversation. I’d also be interested in how after that MSD didn’t find the massive security hole. Whom was alerted to the request for payment?
Should he have reported the vulnerability, free of charge? Yeah, that would have been the selfless thing to do for the public good. But asking to be compensated for his troubles is not unreasonable, either. After all, it’s not as if the people MSD ended up relying on – KPMG – did it for free.
There is a difference between being asked to locate a vulnerability for a fee, and finding one and asking someone to pay you for it, or otherwise you’ll expose it in the media.
As I said I think Keith has acted entirely appropriately, and I’ve said so on radio – his actions has served the public interest. I’m reserving judgement on Bailey until I’ve heard more detail.
Tags: Ira Bailey, Keith Ng, MSD
October 16th, 2012 at 9:04 am
>I should make very clear that I think Keith Ng has acted entirely properly and ethically.
I disagree. Bailey was essentially trying to blackmail MSD by threatening to publicise a vulnerability that might cost people their jobs unless he was paid. Ng should have revealed the fact that he was helping a blackmailer extract his utu in his initial report.
Vote:October 16th, 2012 at 9:07 am
It would be interesting to know what was already on the USB drive that Bailey plugged in to the WINZ kiosk. Is it beyond the realm of the imagination that he was trying to introduce something FROM the USB stick TO the MSD computer system?
It’s also interesting to note that in the Scoop profile on Mr Bailey at the time of his Urewera arrest that he is a friend of Nicky Hager, of the Don Brash e-mail saga infamy; how convenient.
http://keepingstock.blogspot.co.nz/2012/10/so-many-questions.html
Vote:October 16th, 2012 at 9:10 am
Why does it matter what Bailey’s (or Ng’s) motives were? Does it change the WINZ failings one little bit? And isn’t THAT the real story (along with the oversight failure that allowed them to occur)?
Or, let’s say Bailey IS a no-good, blackmailing piece of shit. So what?
[DPF: I'm not suggesting it changes the story. I've blogged and said on radio that the failure by MSD is huge, much more concerning than ACC, and in fact have said I expect sackings.
But that doesn't mean the public don't deserve to know the full background to what happened. Thee nice thing with a blog is you have no space limits, so can cover multiple aspects to a story.]
Vote:October 16th, 2012 at 9:11 am
I was staggered at the range of information that was accessed. I would have thought it should have been fenced off. It seems all secret information is held in one place like an aladdins cave. Unbelievable. This is a hanging offence starting at the top. But watch them wheel up some middle ranking official and blame him or her.
Vote:October 16th, 2012 at 9:11 am
MSD should have paid — a thousand bucks to plug a hole which will save millions.
This is not blackmail. He knew of a security flaw, notified msd that he could provide his services to identify this security hole for them.
MSD probably paid Pricewaterhouse millions to do the same thing, yet, they detected nothing.
Vote:October 16th, 2012 at 9:18 am
AG couldn’t agree with you more. Bailey’s motives are a sideline to the real issue is that MSD has a massive IT security failure. I am not particularly bothered as to what his motives were, I am a hell of a concerned that he was able to do what he did, and so easily.
Vote:October 16th, 2012 at 9:19 am
If Bailey was really motivated by money or publicity:
- wouldn’t he have waited to hear back from MSD before going to Ng?
- wouldn’t he have gone to media with much bigger pockets?
- wouldn’t he have dragged out the revelations like on political hit jobs?
- wouldn’t he have revealed his identity from the start?
We can quibble about motives and methods but as others are saying the revelation of appalling data security is the big story here, and the responsible way the revelation has been handled by Ng and Bailey – Ira Bailey versus MSD.
Vote:October 16th, 2012 at 9:20 am
wreck1080>This is not blackmail. He knew of a security flaw, notified msd that he could provide his services to identify this security hole for them.
It isn’t the way we do things in NZ. If I’d visited a rellie in hospital, spent a few minutes wandering around the wards, and spotted some unsafe situation that might cost someone an injury or their life… then would the correct thing to do be:
a) Tell the hospital staff so they can fix it; or
b) Ring up MOH. Don’t describe the exact problem so it can be identified and fixed. Demand to be paid, otherwise I’ll tell Keith Ng so that he can do a report on unsafe conditions in hospitals and someone will end up losing their job.
Telling the media isn’t blackmail. Asking for a reward and handing over detail of the vulnerability regardless isn’t blackmail. Asking for payment and threatening to go to the media unless you’re paid IS blackmail, and Keith Ng was an accessory.
Vote:October 16th, 2012 at 9:23 am
Wreck has a good point also. WTF were PriceWaterhouseCoopers being paid for if they could not find such a fundamental hole in the system security. I would be fascinated to see what PWC was paid for their services in this area and to what benefit. Perhaps the government inquiry should extend to what PWC were contracted to do and what they achieved.
Vote:October 16th, 2012 at 9:25 am
So the leak is fine, the problem is actually Ira Bailey. Got it.
Vote:October 16th, 2012 at 9:25 am
Have these people never heard of vlans ?
Whole thing is an epic fail.
is this run internally or outsourced ?
Vote:October 16th, 2012 at 9:30 am
Geez DPF, your fawning over him is awkward. You don’t have to stick the knife in, but your front-footed support and defence of him is … uncomfortable.
Vote:October 16th, 2012 at 9:32 am
Are the technicians now presumably working to fix the flaw working for free?
Vote:Ira bailey and Keih Ng would probably like to know how much an hour these technicians are earning.
October 16th, 2012 at 9:35 am
I am sure that if he had been paid he would have still gone public and claimed he was given hush money. This guy is subversive with links to others who want to destabilise our society and its agencies. And who knows what inside assistance they were getting from disgruntled fellow travellers in the department who long for the return of their Labour mates to power?
As well, once again we are shown what a crowd of incompetents we employ, at huge expense, in our public departments. If anything is an argument for privatisation, surely this debacle is.
Vote:October 16th, 2012 at 9:40 am
PWC will not come out smelling of roses after this gross failure. The company appears to have done a very poor job with its “security audit”.
Vote:October 16th, 2012 at 9:40 am
The more this scab is picked, the more the sepsis is exposed.
It is clear that the consultant employed by WINZ to find the “Hole” last year (their statement), did not do the job – or something was done to the system at a later date.
That (Bailey’s) USB drive is not a good look since it may have contained the means by which Bailey and Ng gained entry. In other words the “Hole”.
Vote:It is not quite black, but it is very, very murky.
October 16th, 2012 at 9:43 am
Dear neighbour,
Vote:I know you’re overseas on holiday, but I was poking around your place and noticed that your front door isn’t locked… If you flick me some cash, I’ll lock it for you… Otherwise I know some guys who will make it worth my while.
Sincerely,
Ira
October 16th, 2012 at 9:44 am
Once a crook, always a crook. Bailey, Urewera terrorist, is a crook.
Vote:October 16th, 2012 at 9:45 am
Either that or someone with an axe to grind or political motives inside MSD opened the gate and called Ira Bailey and told him where to look. I wouldn’t be surprised if the gate wasn’t open with PWC went looking. And I expect the inquiry will tell us a lot more about this. It goes way beyond coincidence. In fact it stinks to high heaven.
Vote:October 16th, 2012 at 9:46 am
@Yvette and Wreck.
It doesn’t matter how much they technicians are paid to fix the problem. (I’d guess any experienced network guy could fix the isolated problem in 20 minutes. And it’s a government agency, so they’ll be paying the technicians too much.) You can’t demand money when you discover a flaw – that’s not how it works. Besides, he wasn’t offering to fix the problem for a fee, he was offering to tell them about a problem which he accidentally discovered.
If a parking warden notices the bonnet of your car is very loose, he might have saved you hundreds in repair costs, but a thank you is all that you owe him.
Bailey’s demands show where his motives lie however. A greedy swindler, who’d rather try and make a quick buck than be honest and report the situation. He put his thirst for cash ahead of the privacy of the children and families whose details were out in the open. What a despicable person – he could have helped people, but he wanted dough.
None of this should distract from the initial mistake, but from what I understand it is a very, very, very stupid mistake to make. Almost too stupid.
Vote:October 16th, 2012 at 9:50 am
PWC and KPMG et al are a joke. They charge like wounded bulls and fail to deliver. Look at the finance company collaspes. These bozos provided the so called independent reports and valuations that turned out to be a cock of shit.
Their reputations are shot thru. None of them should be allowed anywhere near MSD or any other government departments systems.
What with ACC and now MSD the question is whose going to be next. You can bet your bottom dollar there are systems shot full of holes out there just waiting to be plundered.
JK should order a complete review of all IT systems by proven independent parties. Otherwise the citizens can have no faith in any government IT system.
Vote:October 16th, 2012 at 9:57 am
Auberon, I agree with you, there is more to this than meets the eye, especially as it was exposed just as Bennett announced her proposed child at risk data base and Adern was commenting in every interview that it was dodgy
Vote:October 16th, 2012 at 10:01 am
Doc
Well said. Every day I could go through my neighbours’ letterboxes and find out lots about them. I don’t. Neither do they.
Shearer is building a ‘gotcha’ world and I don’t like it.
Vote:October 16th, 2012 at 10:05 am
flipper said
Right on the money. A known activist with no need whatsoever to go into a WINZ office to access a computer (he works with computers FFS) goes into WINZ, logs in to a kiosk, inserts his USB drive and suddenly discovers a security breach…have I got a bridge for you! It’s just too convenient, especially when Bailey is a known associate of the likes of Valerie Morse and Nicky Hager. And don’t forget; his sister Emily was one of those convicted of firearms offences after the Urewera trial.
Vote:October 16th, 2012 at 10:15 am
If Ira Bailey is such a nasty piece of work why didn’t he do more damage with the material available? He gave his name over freely and gave a return number. He could’ve easily collated the most sensitive bits of data and secretly sent that to whoever he felt like, including Shearer, Norman et al. and had the government running around in a mad fit trying to find out where this super sensitive stuff was coming from. The last place they would’ve looked was the Winz public kiosks that’s for sure.
A malicious USB stick? Are you kidding? They used the file open dialog in Microsoft Word, they didn’t install a trojan. Go down to your local photo printing place, you can stick a USB stick in there too. Some people even store stuff, like, I don’t know, their CV on a USB stick, which is kind of what the whole point of the kiosk was for anyway, to get a job.
Vote:October 16th, 2012 at 10:16 am
Why online information? I would have thought a review of internal security would be in order. Why would the user account used at the kiosk have access to so many servers? Internally at MSD do staff have access to all servers, regardless of their role?
Vote:October 16th, 2012 at 10:21 am
Yes the problem is when he got in there he only found information to back up the public criticism of the welfare gravy train.
Nothing useful to the left except the fact that NZ government computer systems are NZ custom designed crap designed by ma and pa limited in a garage in taihape. Now tell us something we didn’t know.
Vote:October 16th, 2012 at 10:27 am
I dont know whats worse
The shocking exposure of personal information available through MSD, that even a two year old could access……
or the hang , draw and quarter hatchet job on the one that discovered it.
I guess if it were Whaleoil, like he did with the adserver hacking, you’d all be rubbing yourselves in babyoil and commenting on what a fine job that was done.
WINZ = leaks, poor security, blame the left
ACC = Leaks, poor security, blame Bronwyn Puller
Secret Service = Leaks, poor security, blame DotCom or whoever
A piss poor attempt at deflection
Vote:October 16th, 2012 at 10:27 am
Because he’s as stupid as he is greedy?
I think his main motivation was money. That’s why he gave them his name, they can’t write a cheque to “anonymous blackmailer”. It was only when he realised the MSD wasn’t going to cave in to his extortion attempt that he clumsily gave the material to a blogger.
Vote:October 16th, 2012 at 10:32 am
Nicky Hager the objective journalist told us that affidavits don’t mean much with regard to the urewera molotov cocktail cricket club yet the sniff of any activity at Waihopai sends him into a fizz. So why does Radio NZ use him for comment. Wouldn’t Paul Buchanan be (a lot) better?
Vote:October 16th, 2012 at 10:36 am
Nah it was political. These groups will have been trying to hack everything. I wonder how many times a day banks get attempted hackings?
- but they are too secure.
Then police – too secure
… so they feed down the food chain until they manage to hack big fat slack old MSD. Bingo….oops …. no book for Hagar here, no brethren, WASPs or multinationals registered.
Vote:October 16th, 2012 at 10:40 am
Not convinced. Sure, there’s a mistake here. But it boils down to the kiosk having access to the MSD network. Sounds like all MSD file servers are accessible to all staff. That’s pretty common, and windows does an ok job of finding them when you go “map network drive”. Why kiosks wouldn’t be on a separate network segment or at least running under an unprivileged user is I don’t know, but I guess it’s a mistake someone could make.
As for security audit – unless you knew they had kiosks and were asked to audit them, this would never show up. Security audits usually focus on access via the internet, not someone already inside the firewall.
Embarrassing, yes. Surprising, no.
Vote:October 16th, 2012 at 10:45 am
Anyone wonder why the MSD managers did not pay him? I bet they wish for a time machine now.
If I were an MSD IT manager and advised of a massive security hole, I’d have negotiated a confidentiality agreement on the basis the security flaw was large.
Why on earth would they not do this? Surely this method is far cheaper than some pricewaterhouse security audit. I’ve been involved in these big accounting firm IT audits –they really are a joke. More an exercise in box ticking.
Anyway, it is a good thing that this has surfaced so now we all know what a joke these highly paid IT staff are. This is what happens when you put lawyers in charge instead of technical people.
Vote:October 16th, 2012 at 10:49 am
How do you wank into a MSD office and sit alone for half hour with acess to a MSD computer?
No point paying him anyways coz he would have outed the hole for public good anyways after he had taken the dosh.
Vote:October 16th, 2012 at 10:54 am
@labrator, you do make some good points.
Whilst there are more questions than answers at the moment, perhaps upon reflection (and thinking about political & media game playing that could result) one shouldn’t be in a rush to condemn Ira Bailey especially as not all the facts are known.
Sure there are questions one could ask of him, such as, how did he hear about the security vulnerability? From another source (if so who, someone within MSD or another MSD client or another activist or even hacker etc)? Does he have a habit of checking govt/corporate public computers/kiosks for vulnerabilities (and even if so, I doubt he’d be the only person in NZ to have done that)? If so, has he been rewarded in the past and thought he would look for more vulnerabilities elsewhere eg MSD? Or was it something that he tried for the first time and hit the jack pot? It could even be the latter here – who knows.
Just saying this because he may be somewhat innocent (and unintentional consequences of accusing him could result in media fallout for the Govt). But otherwise if not, then in time once the audits are done we’d have more info to go on.
Having said this I’m amazed that someone like Ira Bailey could access sensitive areas with the MSD network. Question: did the kiosks have admin privileges set which allowed anyone with System Administration knowledge to browse around (and even if so, it must have been a hell of a high level admin privilege to get into many systems) or else was this not the case and Ira Bailey used his SA knowledge to get around internal security measures to delve deeper? So far Keith Ng isn’t suggesting the latter in his commentary (but then again I’m sure how much SA knowledge Keith Ng would have). I think we may need for more info to come out via Keith’s sources or otherwise the Govt audit before passing judgement.
Vote:October 16th, 2012 at 10:55 am
This distinctly smells of Ad Hominem to me
Now I’ll save you some time: oh but no you said at the end what a bad thing the leak is….nope…that doesn’t fly because the crux of your article is about the individual. You even headlined it “Ira Bailey”. And then hilariously said that because he was involved in an environmental movement THREE YEARS AGO that got some press, you imply he’s a publicity whore.
Then you imply that he couldn’t have been bored with time to kill and at a WINZ office, and that he must’ve MALICIOUSLY plugged his USB stick in because WHY ELSE WOULD ANYONE DO THAT?
Which is a good question. Why would he maliciously put his USB stick in? What possible gain is there for anyone?
Our friend Ira Bailey gained nothing from this. Nada. Zilch. Zip. So he’s either the worst blackmailer ever, or you’ve just gotten his motives wrong.
You’re clearly not reserving judgement. This whole post is a judgement.
Vote:October 16th, 2012 at 11:00 am
Reward that man!
Vote:October 16th, 2012 at 11:02 am
PaulL, you say “Sounds like all MSD file servers are accessible to all staff.” Actually MSD chief executive Brendan Boyle refuted that utterly yesterday – he said the file Keith Ng opened was most definitely not accessible by most internal MSD computer terminals/users. Which is just one of a number of reasons why this stinks to me as an inside and politically motivated job.
Vote:October 16th, 2012 at 11:08 am
What part of this is politically motivated? Is exposing a massive security flaw now considered a partisan action?
The reason you could access these things in kiosks was because when they were installed they were given “Admin” privileges. Whereas generic MSD staff were not.
Vote:October 16th, 2012 at 11:09 am
Maybe the MSD should openly make available these details that Ira so helpfully accessed? If we the taxpayer are paying these people haven’t we the right to know who they are and the circumstances that allow them to get on a benefit?
Vote:(OK I’m not so sure about the info regarding safe houses for battered women)
October 16th, 2012 at 11:15 am
this is politically motivated the same way that Whaleoil getting in the backdoor of the LP computer system was.
Vote:October 16th, 2012 at 11:16 am
But MSD aren’t a political party? They’re a Government Department. No matter who’s in Government.
Vote:October 16th, 2012 at 11:24 am
Ah, here we go.
Vote:October 16th, 2012 at 11:34 am
So this affair couldnt possibly used to attack the govt then?
Like this? http://thestandard.org.nz/no-accountability-in-national-government/
Vote:October 16th, 2012 at 11:41 am
There’s a difference between a blackmailer and a bounty hunter.
But ” Bailey says he just happened to be at a WINZ office, and was bored. He plugged in his USB drive..”
Has anyone asked him WHY? Has he given an answer?
David C >Why would he maliciously put his USB stick in?
Er, why would you innocently do so?
Vote:Only two reasons to plug in a memory stick: to copy things from it to the computer, or vice versa.
October 16th, 2012 at 11:45 am
Umm WINZ staff tell you to bring your CV in on a USB stick so you can work on them at the Kiosk.
They don’t allow webmail, and you can’t get to Google Docs so USB is the only option.
Vote:October 16th, 2012 at 11:49 am
Ah ok. Never needed their services to find a job, so didn’t know that.
Vote:October 16th, 2012 at 11:58 am
@ davidc – the guy is a system administrator working with computers all day long. Why would he need a WINZ computer to print off a CV?
Vote:October 16th, 2012 at 12:00 pm
I’m not buying his story either. Would someone working in the industry really be stupid and naive enough to think that an NZ government department would have a bug bounty program? They are really rare, even for private companies, let alone the civil service. It seems like a thinly disguised blackmail attempt. With hindsight they should have paid it anyway, but without details he probably came across as a scammer. Note that according to Ng he didn’t mention the kiosks to MSD at all, so they had no idea where to look.
Vote:October 16th, 2012 at 12:11 pm
Colville (331) Says:
October 16th, 2012 at 11:15 am
this is politically motivated the same way that Whaleoil getting in the backdoor of the LP computer system was.
So what if it was. That does not take away the fact that there was no data security. Why shoot the messengers here. It is a major data security failure by a government department. The motivations are completely irrelevant.
Vote:October 16th, 2012 at 12:27 pm
@ Mark; no-one is resiling from the fact that a major blunder at MSD has been exposed. But Bailey’s involvement raises some very legitimate questions, some of which have not been asked yet.
Vote:October 16th, 2012 at 12:29 pm
If you didn’t think it could be any worse:
About the only good thing about this is Bennett appears to be upfront about it.
Maybe Bailey was looking through some old news and decided to check to see if it had been addressed adequately.
Vote:October 16th, 2012 at 12:38 pm
“WINZ staff tell you to bring your CV in on a USB stick so you can work on them at the Kiosk.”
I’d love to see Ira Bailey’s CV-
Vote:Work skills: Molotov Cocktails, Blowing up dams, Inciting a race-war…
October 16th, 2012 at 1:17 pm
The fact that he had a USB drive is neither here not there. The point is that “looking for it” was the figleaf he used to exuse his poking around the system if he got caught.
It’s clear that the security on this system… well, using the word “security” implies that someone actually tried to secure something. They didn’t.
This is basic, basic stuff. Any competent IT person knows that just restricting access to windows explorer is not going to stop people accessing the file system or network.
Vote:October 16th, 2012 at 1:23 pm
Possibly eighteen months. A few people may be doing a lot of sweating.
Vote:October 16th, 2012 at 1:31 pm
Will the usual suspects in the Lame Stream Media who breathlessly led the night’s propaganda broadcasts when this sensational “news” broke,do a similar breathless follow up?
Vote:October 16th, 2012 at 6:10 pm
Further to Pete’s 1:23, NBR has this story on who may? have leaked Ng’s source: Bennett.
http://www.nbr.co.nz/opinion/linkedin-trail-leads-bennetts-office-%E2%80%93-ng
One of the dumbest things to come out of this developing farce is the govt CIO conducting an across-govt review to identify similar issues across every single govt agency.
I mean talk about politician knee-jerk to a point problem. What is the matter with Key? Doesn’t the guy understand how expensive this is going to be, for what will probably be very little result? I would have expected Hulun to do something like this, since she’s never worked outside of govt where our money grows on her trees and it’s there for her benefit and we should be gwateful she’s spending it cos she’s so fucking wise, but Key doing it? WTF is wrong with this idiot? Hasn’t he ever worked in private enterprise? Oh wait. He has. Fucking d’oh, Key. This knee jerk reaction speaks volumes about you, your management style, your political style, your strategic analysis, your commercial perspicacity and your lack thereof in every one of the aforesaid arenas.
Vote:October 16th, 2012 at 6:19 pm
Good point Reid. Deal firstly with this problem – then expand later if necessary.
Vote:October 16th, 2012 at 6:42 pm
Just listened to the Bailey interview on Checkpoint around 6:05 where he details the exposure, will be worth listening to when its posted on their site. He alleges in his opinion an across govt audit is necessary. Well he would say that wouldn’t he.
But let’s get real people. The Kiosk project is clearly to me at a guess, a project where either the Security Architect was asleep at the switch or where one wasn’t engaged at all and personally I plump for the latter which means the project manager was asleep at the switch. I mean, a Kiosk and you don’t bother about security? Either way, it’s an elementary, no brainer, fucking d’oh level of mistake which is the IT equivalent of designing a car, clay models and all, spending millions tooling up the machines, then discovering when it hits the market that, oh dear, it has square wheels instead of the usual round ones. This was fuckup #1.
But not only that, a consulting company unfortunately employed only after all this money had been spent, apparently pointed out that square wheels weren’t the usual thing and possibly this should be investigated. This was fuckup #2.
Now this doesn’t happen everyday does it. Not too many cars with square wheels hit the market, do they. Same as this. So what the heck is the point in overreacting the way Key has, notwithstanding the monstrous incompetence on the part of someone, an individual, that this represents?
But FFS, the point is, you don’t need Deloittes to tell you what went wrong, you would easily find this out if you wander down the corridor and talk to the staff, which is precisely what Deloittes is going to do, isn’t it. The reason why the CEO appointed Deloittes is because of this look she gave him.
One main reason why both govt and corporate managers hire the big six IMO is because of their reputation and their massive liability insurance. For this reason the managers are quite happy to ditch (and I do mean ditch) $100′s sometimes S1000′s of k on twenty-somethings in nice suits who type really fast all the time and come in really early and work really late and whom are led by a “senior partner” who looks and sounds as slick as Richard Griffin but may not have quite as much going on upstairs, or more precisely, has the consulting fees he’ll earn for “the firm” going on mostly upstairs and secondly a small amount of concern for doing a good job on the fundamentals that the client thinks they’re paying for.
As long as the output looks really really professional, who really gives a damn about the actual efficacy behind the output. That’s for losers, not senior execs. The point is that most managers in most corporates and most govt depts are as dumb as a box of hair and this is proven by the fact that when said consultant’s senior partner presents “the findings” they normally don’t even understand that they could have got the same answers had they wandered down the hall and talked to the staff who do the actual job(s) in question, it’s just that they wouldn’t have got the excellent powerpoint presso. And they sign off on said $100′s of k or even said $1000′s of k without another thought, even with a smile and a congratulatory handshake and sleep well at night, thinking the money they have just spent which now can’t be spent on anything actually productive was well spent.
And so it looks to me like, because politicians are mental “shoot-from-the-hip” idiots and govt CEO’s are sycophantic gutless idiots who wish only to cover their own butts, we the taxpayer will pay almost certainly not 100′s of k but rather 1000′s of k, for nothing. At a time when the GFC continues to hit hard, unemployment is dire, confidence is dire, every cent counts, and we have a conservative govt in power.
I’d call it a circus, but in a circus, they have trained animals.
Vote:October 16th, 2012 at 6:42 pm
@ Reid. Not really sure why you think the idea is dumb – after all its’ a review and apart from the cost to conduct a review, the real expense will be following through with the recommendations.
Anyway what I think is really dumb is the political games now being played out. I hope you were fortunate enough to miss Meteria Turei’s whining dribbling rant about how Paula Bennet “doesn’t care” about Winz clients and she is blame for all this. Awwwwwwwww! Talk about kindergarden age child logic sheesh. Now we have Labour’s Jacinda on her pony wagon going on about how she had concerns years ago. Y’know, nevermind Ira Bailey, he may have been a fall guy, but looks like Labour + Greens have been taking a keen interest over a period of time to see this all fail, makes one wonder whether they had their own activist IT types probing the system’s weaknesses and then set up these others to find the hole and report it to the media????
Vote:October 16th, 2012 at 7:02 pm
@Reid 6:42 pm
Thanks for that sensible and well-reasoned comment. I’ve often been critical of your comments, but don’t often get a frank acceptance of that which can’t be contested from right wingers on KB when their elected politicians are under serious attack for serious failures.
Have to also admit some on the left also not that good in that regard – Clark should have sidelined Peters as soon as the Owen Glenn donations issue came out & David Benson-Pope should have been dumped much earlier than her was.
And we should all be gunning for #JohnDotBanks.
Vote:October 16th, 2012 at 7:04 pm
@ Reid. Not really sure why you think the idea is dumb – after all its’ a review and apart from the cost to conduct a review, the real expense will be following through with the recommendations.
niggly you can’t boil the ocean, it takes too much energy, plus it won’t work anyway since there’s not enough energy available in the whole world, so don’t even bother embarking on the endeavour. That’s my point.
To identify every single security risk presented by every single public-facing IT system is boiling the ocean. This is what Key has asked the govt CIO to do. Based on a point situation in a point govt dept which may or may not be widespread.
Correct me if I’m wrong, but this is mental. Is it not. Would it not be better to broadcast internally to govt IT security experts the root causes of why this MSD failure happened, and instruct the CEOs of all govt depts to make sure their IT depts take this on board on all current in future public-facing projects? Wouldn’t that be a more efficient way to make this problem go away and never ever rear its ugly head again, which is the whole point of the exercise?
Vote:October 16th, 2012 at 7:41 pm
toad @ 7:02 thank you for that. I agree we don’t often see eye-to-eye which has over the years resulted in lack of engagement between us on the issues. I’ve wondered if that’s because of my online lisping and swearing which I admit is forthright and often, offensive.
Personally this lack has been a regret for me albeit understandable. However you’re amongst the most astute opposition on this forum along with people like Ryan Sproull and I enjoy engaging with people like you, not to defeat or because I rate myself, but so I can be learned.
Many conservatives here also, as I hope you’ve observed, have no time for the shall we say, less salubrious aspects of the 5th National govt, even though they like I, may or will probably vote that way next time – I certainly will I can’t speak for them. But I suggest for all of us in this group, it is the truth which counts, and truth doesn’t have an ideology.
I can’t promise toad I won’t continue my use of the less “conventional” communication techniques but can I ask please, look straight through that and focus on the message, because AFAIK, all my messages seek the truth, as I see it, and if I’m wrong, how will I recognise that if people like you don’t explain it to me? If you happen to be arsed at the time
Vote:October 16th, 2012 at 9:12 pm
Wikipedia:
Vote:A moral economy, in one interpretation, is an economy that is based on goodness, fairness, and justice. Such an economy is generally only stable in small, closely knit communities, where the principles of mutuality — i.e. “I’ll scratch your back if you’ll scratch mine” — operate to avoid the free rider problem. *Where economic transactions arise between strangers who cannot be informally sanctioned by a social network*, the free rider problem lacks a solution and a moral economy becomes harder to maintain.
……………….. that’s why we need people like Bailey to make everyone’s details available rather than cover for them (as the Green Party does).
October 16th, 2012 at 9:36 pm
Yep you could have seen a bit of “happy mischief ” if a less than moral rightie had got hold of those files eh.
I don’t understand why anyone would still vote for national.
Vote:October 16th, 2012 at 9:48 pm
I don’t understand why anyone would still vote for national.
Because they’re simply the best Kev. Better than all the rest.
Yes I know.
Pathetic, isn’t it.
Perhaps it’s because we’re all trying to emulate eventually in our later years becoming a big, fat, helpless bird that can’t fly and get’s picked on by all the small furry forest creatures. As I’ve said before, our national symbol should be the Haast Eagle and Country Calendar should be filled with stories of our great national emblem landing on the backs of Moas and simply tearing them to shreds, symbolising at last the great nation we could become, if and when someone (like Winston maybe?) finally, finally, at last, get’s a bit of vision.
Then we’d learn em. And if not now, then when?
Vote:October 16th, 2012 at 10:10 pm
people vote national because of the Great Divide (refs Australia but is same here):
“In a book initially published in 1988 called Ideology and Immigration , she demonstrated how race, immigration policy and the concept of multiculturalism had combined to produce a set of ideas that had caused a new and fundamental division with Australian society. She showed this ideology had created a ‘great divide’ between the intellectual class and the majority of the population. Intellectuals, who mostly worked for universities and the public service, had endorsed a set of values that won the ear of the then Labor government and the news media. They established a terminology that soon became the only publicly acceptable discourse on the topic. Although they professed their motives were social justice and political progress, the same intellectuals held an overt contempt for the majority of Australians, who they thought remained mired in materialism and shrouded in xenophobia. Betts argued that the cultural outlook of these intellectuals was so different to mainstream Australia that they constituted a ‘new class’. Her thesis was subsequently publicised by a number of conservative media commentators and its accuracy was even grudgingly admitted by some on the left. Her analysis was proven accurate when the despised majority took their revenge in the 1996 election by subjecting Paul Keating to the greatest electoral defeat of any Prime Minister since Federation.”
//
Opposition to both the Vietnam War and White Australia forged the links between the new identity and support for immigration. ‘For some activists,’ Betts writes, ‘parochial Australians and their cherished way of life came to be seen as the problem common to all these causes, and immigration diversity as the universal solution. Racism provided the key.’ Their assumption was that old or parochial Australians had supported White Australia and the Vietnam War because of their racist beliefs. The same fault, combined with the inane materialism of their outer suburban lives, purportedly prejudiced them against immigrants. ‘An active celebration of diversity, and further immigration might cure them but, even if it did not, these policies would make it clear that the new class would not tolerate parochial sentiments and that they would make the most of every opportunity to confront them.’ [8] Any politicians who might have doubts about the policy, especially those from the Labor Party trying to retain their old constituency, were isolated and ridiculed by a supportive news media, and identified either with old men from another era, like Bruce Ruxton and Arthur Tunstall, or with extremist fringe groups. Aspiring members of this in-group soon realised that correct views on race and the composition of the migrant intake were essential badges of entry. To question immigration was to step outside the circle of acceptability. In 1972, the foreign correspondent Bruce Grant returned to find ‘an air of unreality’ surrounding the whole question. ‘The governing elite pre-empted the issue and made ordinary Australians feel that to be racially intolerant was to be unfashionable, even unpatriotic.’ [9]
In Canberra in the 1960s, a small group of sociologists and social policy researchers had decided that migrants from non-English speaking backgrounds were not doing as well as they should. No immigrant political identities had emerged within the major political parties and migrants seemed to be disproportionately represented on the lowest rungs of the socio-economic ladder. Even though this was an outcome to be expected, indeed inevitable, for the early stages of any large-scale program of immigration to another society, it was defined as a social problem. A research industry, funded by both governments and universities, soon emerged to confirm immigrants’ status as victims. Although their findings were usually loaded and migrants to Australia actually progressed better than they did in most countries, they took the field unchallenged. [10] The group, whose activities have been analysed in another landmark work of Australian social science, The Origins of Multiculturalism in Australian Politics by Mark Lopez, decided that the then official policy of assimilation was the cause of the ‘problem’ they had uncovered. [11] Their initial response was soft multiculturalism, with its call for tolerance and respect of the migrants’ origins. But in the climate of opinion in the radical Sixties, the analysis soon found that it was not merely the attitude of Australians that was the problem but the very structure of the host society. The academic Marxists who emerged to join this burgeoning movement predictably found Australia was exploiting its migrants and that their position would not improve without structural change. They helped shift the conceptualisation of the issue from assimilation, the idea that the migrants should change to fit Australia , to multiculturalism, the notion that Australia should change to fit the migrants. Hard multiculturalism was born.
Vote:http://www.sydneyline.com/Multiculturalism%20sociology%20of%20shame.htm
October 16th, 2012 at 10:20 pm
hj you don’t need screds (though I should talk). But IMO people vote National because they’re conservative.
People as they grow older are more conservative because they have more to conserve.
Simple. As. That.
Vote:October 16th, 2012 at 10:21 pm
Herman Daly on the environmetal movement:
“Demographers and economists have understandably become reluctant to prescribe birth control to other countries. If a country historically “chooses” many people, low wages, and high inequality over fewer people, higher wages, and less inequality, who is to say that is wrong? Let all make their own choices, since it is they who will have to live with the consequences.
Vote:But while that may be a defensible position under internationalization, it is not defensible under globalization. The whole point of an integrated world is that these consequences, both costs of overpopulation and benefits of population control, are externalized to all nations. The costs and benefits of overpopulation under globalization are now distributed by class more than by nation. Labor bears the cost of reduced wage income; capital enjoys the benefit of reduced wage costs. Malthusian and Marxian considerations both seem to foster inequality. The old conflict between Marx and Malthus, always more ideological than logical, has now for practical purposes been further diminished. After all, both always held that wages tend toward subsistence under capitalism. Marx would probably see globalization as one more capitalist strategy to lower wages. Malthus might agree, while arguing that it is the fact of overpopulation that allows the capitalist’s strategy to work in the first place. Presumably Marx would accept that, but insist that the overpopulation is only relative to capitalist institutions, not to any limits of nature’s bounty, and would not exist under socialism. Malthus would disagree, along with the post-Mao Chinese communists.,; I confess that my sympathies lean more toward Malthus, and that I lament the recent tendency of the environmental movement to court “political correctness” by soft-pedaling issues of population, migration, and globalization.
October 16th, 2012 at 10:49 pm
@Reid, you are correct in all of your description @16:42 except that the CEO is not always stupid. Some at least simply know that is the game they have to play so that all requisite butts are protected. Of course those are the ones who have made sure that they have managers and staff who actually know what they are doing and talking about so are not likely to be involved in cases like this. A department like MSD will have its own internal audit section, but in my experience it was pretty useless anyway.
The other thing you missed out is that the Big Six report is basically taken off their shelf with the local info filled in by the hired gun – and is largely a sales pitch for the next job – another report or the remedial project.
Vote:October 16th, 2012 at 10:52 pm
I also lament that tendency. They appear more interested in politics than the environment. A fact observed by many of the environmental movements founding fathers, who have seen the likes of Greenpeace over run by political zealots.
It is easy to raise support (& money) to save cute faced Harp Seals, Dolphins and other charming creatures. It is not so easy to sell the idea of not having kids. Most folk will nod their heads and agree population control is needed. Now try telling them they can not have baby and see the reaction. The fact is that having kids is the single most damaging thing you can do to the environment. No amount of hemp shopping bags and Pirus driving will change that.
Vote:October 16th, 2012 at 11:10 pm
David Farrar, I know you’ll want to correct this error as soon as possible: The article you have linked to on stuff has a mislabeled photograph. Neither of the people in the photo are Ira Bailey. And he’s not mentioned in the article. And there is no other evidence on the internet, to my knowledge, that he seeks publicity. And that’s just one redundant point of many you have made here, one that is easy to debunk. If you want to double check, compare the photo with pics of Ira and/or his identical twin. C’est tout.
Vote:October 16th, 2012 at 11:22 pm
Reid @16:10, according to the Herald it is Rennie who ordered the all-dept security review, not Key.
Vote:October 16th, 2012 at 11:56 pm
Thanks for the comments I appreciate it. I wish lefties would be as honest as to why they vote as they do. The problem is every party has skeletons in the closet that makes,it repugnant for me to vote for them.
National are too close to iwi and never gave the promised tax cuts. They are up to their 90s tricks of big government business as usual. Remember they brought in much of the paranoid human rights legislation that we still,suffer from.
Vote:October 17th, 2012 at 1:00 am
@ Reid. I get where you are coming from and agree to an extent but not totally. Eg in theory a top down directive should work but in practice it won’t so a full independent audit is needed.
Any top down directive risks any incompetent department(s) not carrying out the recomendations properly (as said incompetent manager/staff member may not prioritise due to other work demands or not carry out effectively etc). There’s also no consistency nor whole of govt stocktake of the situation, also meaning mistakes could continue to occur.
The Govt needs to reassure the public (and sure enough the media and opposition parties) that the issues are being addressed throughout the entire public service.
Make no mistake, what Ira Bailey came across, the top level accessing of sensitive data could be replicated by others, including criminal elements, unethical hackers and potentially there’s no reason why such data couldn’t be sold off to foreign interests. Or have malware introduced. This may have already happened – so this is serious shit and the Govt needs to ensure all public systems are secure (and looks like the entire MSD computer network and workstations need to “rebuilt” from scratch in case they were compromised).
http://podcast.radionz.co.nz/ckpt/ckpt-20121016-1807-massive_breach_of_security_at_the_msd-048.mp3
Ok I listened to the Checkpoint audio of Ira Bailey and I will say this:
On the good side: He has been helpful in explaining to the Privacy Commissioner what he did and what he saw, in the interests of (hopefully) preventing this happening again. I hope he remains cooperative if asked to discuss with Govt auditors or even the authorities if required – this will be a good test for him and us to judge his “honesty” in this affair, I mean he ceertainly sounded sincere on Checkpoint.
On the questionable side. He hasn’t explained (nor been asked by the media) exactly why was he in WINZ and inserting a USB in the first place! Why? Perhaps he had heard about the flaw and curiousity took hold. But if so, how did he know to check? How did he hear about the flaw?
In his own words he discovered the problem two Friday’s ago (Newtown WINZ) and double checked on Monday (Willis St WINZ). Informed WINZ that day (good) by leaving message with number and name, it seems waited until Tuesday and contacted Keith Ng (hmmmm). On Wed he was contacted by WINZ/MSD had a chat about being rewarded and when told he can’t, he didn’t want to divulge further details such as location or description of problem i.e. kiosks and what he could see (because he said he wanted Keith Ng to break the story, which happened Sunday – another hmmmmmm, this isn’t a good look).
Also on the questionable side is that in a system admin role one would see sensitive data all the time but in this case he knew about a flaw and didn’t disclose any meaningful info to WINZ to remedy, instead talked to a blogger which is a little at odds with the ethics of his system admin role.
As for dissing John Key, this issue absolutely nothing to do with him or his management style, that part of your comment I disagree with, it also plays into the hands of the likes of Toad, who like the Greens and Meteria today are using the issue to attack the PM and his Minister’s, ignoring the real “victims” (WINZ clients) and not addressing the security ramifications. Amd these amateurs think they want to Govern one day?
Vote:October 17th, 2012 at 6:01 am
Niggly I think it is fair to assume that Ira Baily was there to make mischief. Whether it was illegal is for others to decide but it is very hard to imagine that his motives were positive. But that is exactly why we have internet security, to stop those who should not have access to data getting to see it. The realiy is if everyone was as honest, as we all obviously are, then the security would not be necessary.
So the issue here is not at all about Ira Bailey or Keith Ng. The fault lies squarely at the feet of MSD with some collateral responsibility falling at the feet of their consultants and advisers. From a political responsibility perspective the risk for the government is that the oposition can draw the dots between the expenditure cuts and doing IT security on the cheap. That is a tenuous argument at best but the crap will be thrown and some disquiet will stick for some of the public.
Niggly as for the opposition “dissing”the PM and national I agree that it is hardly Key’s fault but that is politics and it is the job of the opposition to fire as much crap at the Government as they can to have people asking questions. Of course they are going to be directing as much criticism at Key as possible as he has been the difference between national winning and losing the last two elections. It is hard to imagine that National would not be using exactly the same strategy if the roles were reversed. Whether the voters are gullible enough is another matter however most will beleive what suits their political bias.
In the mean time Key is taking the right approach. Fix MSD but also review the whole public sector data security. That in itself must be a huge task and hopefully the review is not a superficial one.
Vote:October 17th, 2012 at 6:32 am
So we’re not going to shoot the messenger, just blindfold, him, stick him against the wall with a fag in his mouth, in front of a firing squad until we can. . .
Vote:October 17th, 2012 at 8:28 am
@ Mark – all good points, I wouldn’t disagree.
As for the PSA (and no doubt Labour when they wake up) will target budget cuts and security and say they are related. To which I’d say BS – security is paramount, it’s an area that must be top priority (so why this happened at MSD is beyond comprehension – massive fail), there’s always room for budget cuts eg not sure what you see, but I see too many staff (IT and non IT esp middle management) all with the latest expensive Apple i-gizmos and knowing IT, they are a law into themselves wasting massive amounts on piss poor projects, which are hushed up within house. Perhaps Brenda Pilot could comment on that!
Vote:October 17th, 2012 at 3:46 pm
Can anyone point to a description of what the actual security flaw was ?
Vote:October 17th, 2012 at 3:49 pm
Ed,
Vote:I have been waiting for that.
I doubt that we will find out as the white noise about the existence of a flaw rather than what it actually is will drown everything else out.