The truth, the whole truth . . .

When Keith Ng blogged about the leaks on the MSD servers which could be accessed from WINZ offices he said he’d acted on a tip-off.

Only later in the day did he explain who gave him the tip:

So. The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He currently works as a system administrator, has a young child, and is not interested in being the media limelight. That’s why he asked for anonymity.

He did not have any special access to the system – he just had half an hour to kill at a WINZ office. He plugged in his USB drive and it didn’t appear, so he had a poke around the system to find it – and found the giant vulnerability instead.

He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it’s certainly not blackmail. . .

The additional background puts a different complexion on the story and raise several questions, not least of which is: why someone who is employed happened to have half an hour to kill and chose to spend in at a WINZ office?

Yesterday we might have wondered why the person who found the security hole chose to go to a blogger rather than the Ministry.

Today we know that Bailey did go to the Ministry, asked for money in exchange for the information and when none was forthcoming chose to go public.

What’s the difference?

There’s a reason court witnesses are asked to tell not just the truth but the whole truth and nothing but the whole truth.

By telling only part of the truth yesterday the people involved looked a whole lot more public-spirited than they do today. Now the element of personal gain and possible desire to do political damage have been added.

Had we known this when the story first broke it would have been seen in a different light.

This doesn’t change the fact that there was a massive hole in MSD’s computer security.

But it does raise questions about the people who exposed it, their motivation and whether or not we now know the whole truth.

4 Responses to The truth, the whole truth . . .

  1. Deborah says:

    There’s a difference between “had half an hour to kill in a WINZ office” and “had half an hour to kill so popped into a WINZ office”. The former implies having to wait around for something while already being in the office, but the latter is, I agree, a bit bloody odd. However, at this stage, the story as reported by Keith is, “had half an hour to kill in a WINZ office.”

    And he could have been there for any of a number of reasons. Child support? Looking for a new job? Supporting a friend?


  2. homepaddock says:

    Fair point, though having a USB stick and using it with the computer does suggest he intended to use the computer.


  3. Deborah says:

    Indeed, ‘though as it turns out, I carry a USB around routinely. However, there’s a bit of information about how those kiosks actually work(ed) over at PAS:

    everyone used to stick their usb sticks into the kiosks as this is what WINZ staff said to do – bring your cv on a stick and work on it there as they had disabled access to sites like google docs and you weren’t able to download it from your email or anything. As wait times at WINZ are ridiculously long, people were often just messing about on the kiosks while they waited.

    I don’t think that we’ve got enough information yet to either exonerate Ira Bailey (he really did discover it by accident), or indict him (in there creating trouble).

    But really, the trouble is not over who found the fault. The big huge problem is the almighty bloody security flaw in the WINZ computer kiosks. All the blackening of Ira Bailey, and by extension, Keith Ng, who just did what any reasonable journalist would do, is just a distraction.


  4. homepaddock says:

    Yes – that’s why I said, what we’ve learned since yseterday doesn’t change the fact there was a massive hole in the system.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: