Keih Ng blogs:
The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He currently works as a system administrator, has a young child, and is not interested in being the media limelight. That’s why he asked for anonymity.
Mr Bailey is not interested in publicity? This must be a recent thing, as he has sought it in the past.
He did not have any special access to the system – he just had half an hour to kill at a WINZ office.
So Bailey says he just happened to be at a WINZ office, and was bored.
He plugged in his USB drive and it didn’t appear, so he had a poke around the system to find it – and found the giant vulnerability instead.
Yeah, I plug in USB drives to computer terminals all the time.
I should make very clear that I think Keith Ng has acted entirely properly and ethically. He go told of a security breach, he investigated it, he took evidence to prove it, he notified MSD and the Privacy Commissioner, he revealed the breach and handed all the data over to the Privacy Commissioner.
I also think Keith believes what Mr Bailey has told him. I’m just slightly more sceptical of the story that an experienced system admin just happens to be bored, at WINZ, and accidentally finds it. Especially when you consider what he then did.
He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it’s certainly not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.
Yes giant global tech companies have been known to have a reward system. I’ve never ever heard of a Govt Dept having such a system, and companies that do, tend to advertise the fact. I asked Keith if Baily asked for or suggested a specific amount, and he said no.
It is unfortunate Bailey thought his “accidental” half hour discovery was something MSD should pay for and did not do what Keith did, and just alert the Privacy Commissioner and publish what happened – either directly or via Keith.
MSD called Ira back two days later. They told Ira that they don’t pay for vulnerability reports. Ira told them he’d been talking to a journalist and the conversation didn’t go anywhere after that.
I’d be interested in details of that conversation. I’d also be interested in how after that MSD didn’t find the massive security hole. Whom was alerted to the request for payment?
Should he have reported the vulnerability, free of charge? Yeah, that would have been the selfless thing to do for the public good. But asking to be compensated for his troubles is not unreasonable, either. After all, it’s not as if the people MSD ended up relying on – KPMG – did it for free.
There is a difference between being asked to locate a vulnerability for a fee, and finding one and asking someone to pay you for it, or otherwise you’ll expose it in the media.
As I said I think Keith has acted entirely appropriately, and I’ve said so on radio – his actions has served the public interest. I’m reserving judgement on Bailey until I’ve heard more detail.