#wtfmsd and bug bounties

Posted by: Penny Leach 2 years, 3 months ago

(1 comment)

For those either not living in New Zealand, or living under a rock in New Zealand, #wtfmsd refers to the gigantic security hole that allowed members of the public to walk into Work and Income (WINZ) offices, and use their completely unsecured Kiosk computers to read (and in some cases, write) sensitive documents on the network.  These documents included details about children in the care of Child, Youth and Family (including addresses), prescription medication (anti depressants, anti psychotics) and information about an attempted suicide, amongst others.

The story was broken by blogger Keith Ng and he was tipped off by Ira Bailey, who had accidentally found it while trying to figure out how to access his USB stick on one of the WINZ Kisosks.

It turns out that the Ministry of Social Development (MSD) had been told about this before - not just by members of the public but by their own security auditors. Quite apart from the fact that this is a gross breach of trust that the public has in government services to keep their data secure, it's a PR disaster for the government.

So the spin machine is starting up, and they're focusing on two different issues to try and distract the public and the media.

First, Ira Bailey is a household name in New Zealand, due to his being one of the Urewera 17 (which I have written about previously). Apart from the fact that the Urewera "Terror Raids" are a dreadful example of the police getting completely carried away with themselves, and not just crossing the line of legality (or for that matter ethics and reasonable treatment of communities), but leaping over it and dancing on the other side, the charges against Ira have been dropped, and he's understandably trying to move on with his life.  He lives in Wellington with his partner and young son, has a job as a system administrator, and as far as I can tell wants to be as far out of the media circus as possible.  The fact that it was him who discovered the problem is mere coincidence.

Second, when Ira called up, he asked if they had a vulnerability incentives scheme.  This is probably no surprise to people who work in IT but for the rest of the public who haven't heard of such things, it's being spun as blackmail.  "Bug bounties" are pretty common.  Just google it and you'll see that companies such as Facebook, Google, Paypal and Mozilla, among others, offer (in some cases, huge) rewards for finding security vulnerabilities.  MSD certainly doesn't have such a scheme and probably the New Zealand government in general doesn't.  I have to say though, in light of their record of releasing secure and confidential data to the public, maybe they should?

Disclaimer: I've known Ira Bailey for a long time and his partner is a close friend.

Featured image from flickr user Eduardo Deboni


Edited to add: Here's the sort of spin I'm talking about.  This commenter summed up my first thought on reading the piece. 


penny 2 years, 3 months ago

PS there's a great interview with Ira here: http://podcast.radionz.co.nz/ckpt/ckpt-20121016-1807-massive_breach_of_security_at_the_msd-048.mp3

Link | Reply

New Comment


required (not published)


Recent Tweets

Recent Posts






RSS / Atom