When Keith Ng blogged about the leaks on the MSD servers which could be accessed from WINZ offices he said he’d acted on a tip-off.
Only later in the day did he explain who gave him the tip:
So. The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He currently works as a system administrator, has a young child, and is not interested in being the media limelight. That’s why he asked for anonymity.
He did not have any special access to the system – he just had half an hour to kill at a WINZ office. He plugged in his USB drive and it didn’t appear, so he had a poke around the system to find it – and found the giant vulnerability instead.
He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it’s certainly not blackmail. . .
The additional background puts a different complexion on the story and raise several questions, not least of which is: why someone who is employed happened to have half an hour to kill and chose to spend in at a WINZ office?
Yesterday we might have wondered why the person who found the security hole chose to go to a blogger rather than the Ministry.
Today we know that Bailey did go to the Ministry, asked for money in exchange for the information and when none was forthcoming chose to go public.
What’s the difference?
There’s a reason court witnesses are asked to tell not just the truth but the whole truth and nothing but the whole truth.
By telling only part of the truth yesterday the people involved looked a whole lot more public-spirited than they do today. Now the element of personal gain and possible desire to do political damage have been added.
Had we known this when the story first broke it would have been seen in a different light.
This doesn’t change the fact that there was a massive hole in MSD’s computer security.
But it does raise questions about the people who exposed it, their motivation and whether or not we now know the whole truth.