Member log in

Ng names source: Urewera 17 member Ira Bailey

UPDATE Oct 16: 

The Prime Minister was stirring on TV3's Firstline this morning, speculating that blogger Keith Ng paid Urewera 17 member Ira Bailey for his tip about an MSD security breach.

"Obviously it would have been better if the individual involved had actually told the government and not tried to charge the government some sort of 'fee' - to put it in those terms - but he didn't and goodness knows what he did with the blogger. I don't know if he gave it to him or sold it to him," John Key said.

The Prime Minister and MSD CEO have framed Mr Bailey's request for money in sinister terms, implying some kind of shake-down. Mr Bailey's supporters have pointed out that a number of organisations, including Google, regularly pay people who report bugs.

After Mr Key's interview, NBR asked Keith Ng whether he had paid Mr Bailey.

"No," he replied.

Mr Ng also reiterated his line from his latest blog  that, "He showed me the vulnerability - the only condition was that his name be kept out of it."

The blogger has now received more than $4400 in donations from the public after asking readers to chip in if they appreciated his investigative story.


Oct 15, 8pm: Blogger Keith Ng this evening named the man who tipped him off to a major Ministry of Social Development security hole: Urewera 17 member Ira Bailey, younger brother of Urewera Four member Emily Bailey.

Mr Bailey faced firearms charges the wake of the 2007 Urewera terrorism raids. A police expert witness said a chemical recipe and instructions found in his flat could be used to create a thermite bomb capable of melting the the engine block of a car. All charges against the Wellington man were ultimately dropped.

Mr Ng's move had the look of a preemptive strike.

And indeed when NBR ONLINE contacted the blogger, he said he had received a call from NZ Herald reporter Claire Trevett, asking him to confirm if Mr Bailey was his source (as NBR types, the Herald has yet to publish an article based on that tip).

Did he suspect the MSD had tipped off the Herald, raising a different kind of question about its security?

Mr Ng responded, "People who knew Ira's identity were me, our lawyer, his family and MSD."

But in his On Point blog, he elaborates:

Since he called MSD and left his name and number, it was always likely that they’d out him as a diversion. We had hoped that it wouldn’t get to that, but it has, which is why I’m writing this now.

Tonight, MSD spokesman David Venables told NBR, "MSD has not named anyone".

Ms Trevett declined to discuss her source.

The Urewera 17 tie-in is juicy, and could, indeed, distract the media (see - cough - the headline above). Conspiracy theorists might see Mr Bailey looking to extract some utu on the Crown.

Mr Ng writes that the truth is much more straight forward:

He currently works as a system administrator, has a young child and is not interested in being the media limelight. That’s why he asked for anonymity.

He [Ira] did not have any special access to the system – he just had half an hour to kill at a WINZ office. He plugged in his USB drive and it didn’t appear, so he had a poke around the system to find it – and found the giant vulnerability instead.

He called MSD to ask if they had a reward system for reporting security vulnerabilities. [Earlier today, MSD CEO Brendan Boyle said an attempt had been made to receive money in return for details of a security issue]. This is not unusual practice, and it’s certain not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.

MSD didn’t know what to do with his request, and it got slowly bumped up the food-chain.

Ira didn’t hear back from them, so he talked to me instead.

Mr Ng ran his own week-long investigation to confirm Mr Bailey's tip-off, then went public with what he found: an embarrassing security lapse that meant many parts of the ministry's network and sensitive client files, were accessible from public WINZ kiosks.

Institute of IT Professionals head Paul Matthews told NBR the MSD's security woes appear to go far beyond the kiosks.

He told NBR last night, "As well as the clear issues of placing a publicly accessible system on an internal network containing highly sensitive data, the fact that any computer on the network can seemingly openly access these types of files points to a potential widespread systemic failure of IT security and governance."

The MSD has commissioned an independent inquiry, but confined it to kiosk security at this point, CEO Brendan Boyle said yesterday.

The chief exeucitve said the ministry worked with two companies on security issues, KPMG and Dimension Data.

Dimension Data had carried out penetration testing on the kiosks, which were installed in April last year, but uncovered no issues.

Penetration testing was now being intensified.

Comments on this story are welcome, but any more offensive or potentially defamatory remarks and they will all be disabled, thereby losing the opportunity for sensible discussion.

More by this author

Comments and questions

Greedy scum bags? You might like to make an OIA request and find out how much the security consultants charged for their incompetent services.


Unfortunately for Bailey - the reality of vulnerability rewards is unlikely to be made clear in the media. Instead his efforts will be painted as blackmail - an idea that MSD appear to have been planting already.

I doubt many people who have any knowledge of IT security would fault Bailey for his approach, but the media and general public aren't so understanding.

Exactly. Bailey's being set up to look like he was out to screw the government. Why in the world he'd be inclined to do that I'll never know. I guess the whole sorry mess is a warning to every ethical hacker in NZ to act defensively in every instance, and plan to go public each time. Who really wants to do that?

Well it's obvious, don't trust the govt with any discreet information because they have more leaks than a council building.

Standard govt MO: attack the source to deflect from their own incompetence.

Pre-emptive strike?
You are joking!
Trevett is a professional and Ng isn't.
Never reveal your sources and Ng has blubbered the first sign of any heat.
That's possibly why he's a free-lancer.

I'm sure Ng talked to Bailey about this before publishing the details.

If Trevett has been given his name then she's also been given the context, as the MSD want's to present it. They've already put out their scare-quotes-reward story so it's clear how they'll try to frame Bailey's approach.

Ng's pre-emptive strike in co-operation with Bailey is an effort to make sure the story is presented in terms that aren't just how the MSD wants it presented. I think it's exactly the right way to approach the issue. Keith's post is now by far the most detailed source of information about his source, the media have little alternative but to at least read his side of it now, rather than simply relying on the MSD's details.

Had this not been pre-emptive then the first articles about Bailey's involvement would have been framed entirely on MSD's terms. Keith or Bailey could have then posted a response, but the story is already set and framed by then.

Bit of a shame the truth is a tad dull and here I was waiting with all manner of conspiracy theories sufficient to rival the pending Bond movie. In reality MSD being dullards wouldn't know whether to have a powhiri or hui before deciding how to handle the reported issue.

Who would ever want to be a source of Ng's now?

Talk about never getting another chump to give info.

Wait a minute. Keith protected his source through anonymity until it became clear the kind of leaking that Bennett's office is becoming notorious for was going to be used to distract attention, at which point Keith scooped the leak with the actual story rather than the Govt's spin.
I find your stance on this issue odd. It feels a lot like you're leaping to attack Keith because he makes the way you handle security stories look kind of douchy.

Yes I'm quite, quite sure he didn't discuss this with Bailey first at all, that's CLEARLY the obvious conclusion.

As an aside to all this, I think the NZ Government should establish an IT advisory group that can co-ordinate with any and all government IT departments on issues like this and that group should institute and publicise a Vulnerability Reward program. The data we're talking about is just too important to rely on the hope that "good citizens" will report whatever they find and that random IT departments will act appropriately.

There is already -
The New Zealand National Cyber Security Centre provides enhanced services to government agencies and critical infrastructure providers to assist them to defend against cyber-borne threats.
But im betting their budget doesn't allow them to be pro-active.

And ironically the NZ NCSC is part of the GCSB! Asleep at the wheel again!

You're kidding right? Don't you think there are enough "advisors" within Govt already providng poor advice?

Remember, WINZ are dealing with no-hopers; so it follows on, that they are no-hopers, themselves.

Haka, anyone?

Fantastic stuff. Ira is on linkedin with ICT his bread winner. this guy Ng has made a hash of the story now. Would be interesting to know how many politicians knew before the story broke.
Kit Dot Com just became a DvD copy - Ng Part 1 just released in cinemas near you.

What evidence is there that this is accurate. It just sounds like a guess to me

fact that any computer on the network can seemingly openly access these types of files

New Zealand, eh. Who's running this circus?

Keys the ringmaster,you can take your pick for the clowns,he's got the whole cabinet to choose from.The audience has been taken for a ride with scalped ticket sales.In short,we have been shafted.

First response to this debacle - panic. Second find a scapegoat and use your spin doctors to deflect what really is an IT 101 issue. Third - "call in the experts". This department must have their own inhouse expertise to resolve if given a bit of space and time, but I can imagine the scene - panic phone calls, meetings, reports - "when will it be fixed" etc.

Question, why was Ng in a WINZ office playing with a Kiosk? Is he on a benefit? Maybe remove his residency/citizenship and deport him, immigration can do this because how is he helping improve NZ.

You forgot "Is he even a real New Zealander?"

He was legally in the WINZ office.

who Ng or Bailey. We all arrived at sometime.

Question: did you read the article?

"it’s certainly not blackmail" - yeah right

I know, #11. Let's shoot the bloody messenger!

I’m surprised by the no. of people who think that Ira Bailey’s actions were justified. Why did he need payment to report the vulnerability?

I must have a different moral compass to many, as I’d have reported it regardless of whether there was a reward offered.

Right - we should pay IT Security companies megabucks for their incompetent services but not for a guy who finds a huge hole.

The problem(?!) was reported to MSD by an IT company a year ago. Nothing was done. Bailey went public. Now something will be done.

If someone rang my office highlighting a security issue I would invite them in to meet with my CIO.
This 'state knows best' rubbish has got to end.

I find it telling that Bailey, instead of helping protect the privacy of the children and families involved, asks for money.

My first inclination was to assume those involved had nefarious intent, but the kiosks has USB ports available??!! Unbelievable!!

The major issue nobody wants to talk about, raised by any and all privacy breaches of personal data held in govt. databases, is that we never had the real debate about is it a good idea for the govt. to have this much data in the first place?

In the Govt.'s headlong rush to wield the power of information, compulsorily acquiring huge databases of private data, Stasi-like and often in direct contradiction to the principles of a liberal democracy, they have created big fat targets for cyber-attacks, hacks and other centralised IT failures of many kinds. Just because you can centralise the public's personal data into big, fat targets just waiting to fail spectacularly, does not mean it is a good idea to do so.

Network information technologies do not work like the govt. wishes them to .... now they have made us all vulnerable with their meglomaniacal, greedy schemes for compulsorily centralising information. It is a mathematical surety that the current centralised systems of data the govt. IT "experts" have created will succumb to failure at some future point in time.

Decentralised systems, where private data is kept private (i.e. on your own computer) will ultimately be proven out to be the superior system. At that point, the nation state may cease to exist in the information age given its propensity to lump its lot in with the failed centralised models subject to systemic failures.

NAIT, WINZ, IRD, MOT, Customs, Police, GCSB, Banks-KYC and etc, etc hold the precious IT data of NZ in their vulnerable databases ... do we really want to be entrusting so much power in a failed model? I know I resent yielding my personal data compulsorily into these broken systems but nobody wants to hear about the downsides and you'll go to jail if you refuse to join the insane march into the abyss of centralised system failures.

Freedom is more than just a word.

Well said. Rolling back bureaucracy is the only answer to incompetence. However, as usual the problem will be investigated by the bureaucracy and the solution will be more bureaucracy. The investigation will be outsourced to a big accountancy conglomerate who will hire a techo from Oz to feed a few local snippets into one of their standard reports which will then serve mainly as a sales pitch for their next report or project.

The process will cost a fortune and create a bigger and better mess of which as usual the departmental management will have zero understanding.

From what I have seen all the material viewed was sittting on the network shares. Why is all this information not in their document and records management system?? Most government agencies have gone down the path of purchasing and installing a fancy EDRMS of some description, where information is usually subject to extra levels of security.
So, MSD, how about using yours???

The main thing here is that the MSD store sensitive data, including the phone calls they record when you ring them which they now say are "for our purposes". anyone reading on this site will know you don't store passwords in plain text. How the hell did that happen ?

Teflon John playing the blame game again,blaming everyone except his government,obviously something is not sticking to John's blanket.How does he get away with it all the time?Is it the apathy of the public,who moan,moan then do nothing,or just the collective incompetence of government departments who rely on that apathy to stay in their jobs,creating even larger blunders and know they cannot be held accountable.We the public are quite sad and pathetic really.

Good on Ng ,maybe he has some friends who can up the fingers in holes in the dyke of this IT blunder,cos the ones they have now are useless.

Paula,Paula, Paula for once,listen to your advisors,they are there for a reason,trying to stop you from looking a complete idiot,for one,then keeping you from shooting yourself and ones close by in the feet.They are there to help Paula,Ng has bought to your attention a security breach,as big as the grand canyon,do not,I say again,do not,shoot the messenger.He comes in peace.