OnPoint by Keith Ng

During the Budget lock-up last week, an old hand from one of the law firms said that I should ask Bill English about all the legislation that was going to get rushed through immediately after the Budget. I gathered, from what he told me, that a lot of bills got passed in the wake of the Budget with very little scrutiny.

Well. This happened:

You're looking at the Regulatory Impact Statement (RIS) for the Public Health and Disability Amendment Bill. Basically, the courts said that the Government had to pay family members who looked after people with disabilities (because not doing so was discriminatory), so the Government passed this law to say: "Yeah nah."

The RIS isn't just redacted for the public - it was redacted for MPs. *Parliament* voted on this, with all the relevant facts blacked out.

Sure, it's understandable, right? If you're passing a law that's really fucking dodgy, you don't want advice from civil servants saying "uh, this is pretty illegal" to be public. That shit is super embarrassing in court. But actually, that's not really a problem here, because in the same piece of legislation, THEY SAID THEY CAN'T BE TAKEN TO COURT.

Andrew Geddis, over on Pundit, pulled out this shiny little turd (section 70E in the bill):

[When this law kicks in], no complaint based in whole or in part on a specified allegation [that the policy unlawfully discriminates] may be made to the Human Rights Commission, and no proceedings based in whole or in part on a specified allegation [that the policy unlawfully discriminates] may be commenced or continued in any court or tribunal.

That's to say, it doesn't really matter whether the law is discriminatory or not. Hell, it doesn't matter even if the RIS explicitly admits that it is, because they just changed the fucking law to say that you can't complain to *any court or tribunal* over it.

Geddis also pointed out that Attorney-General Chris Finlayson has said that, actually, no, this is not okay. From Finlayson's report to Parliament:

[Section 70E] appears to limit the right to judicial review because it would prevent a person from challenging the lawfulness of a decision on the basis that it was inconsistent with [the Freedom from Discrimination section] of the Bill of Rights Act... On balance, I have concluded that limitation cannot be justified under s5 of the Bill of Rights Act.

(s5 of the Bill of Rights Act says that the Bill of Rights "may be subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society")

Geddis suggested that you "might need a moment to let the implications of this sink in". In the interest of expediency, I'm going to start you off:

NOT. FUCKING. OKAY.

In the GCSB case, they did something illegal, then just changed the law to make it legal (which is already quite a large crazy basket of NOT OKAY). Here, they're doing something which was against the Human Rights Act before, and is still against the Human Rights Act after, but just made sure the people on the receiving end can't have their legal rights recognised or enforced.

It's saying, sure, the Government's doing something illegal to you, but it's okay, because we just made a law to say there's nothing you can do about it. Lolz!

Well, it's not okay. It's not okay that human rights promised by law are not honoured because it costs money. It's not okay that due processes promised by the Bill of Rights doesn't apply because the Government says it doesn't apply. It's not okay that advice about how Parliament is about to piss all over the rule of law (at least I assume that's what the legal advice says, because we can't see it) is denied to Parliament. It's not okay that saying "Budget, Budget, Budget" means that the Government can bypass all the checks and balances of Parliament itself and just put itself above the law overnight.

NOT. FUCKING. OKAY.

Here's where it gets awkward. Ours is a system of parliamentary sovereignty, with only an informal consitution. Parliament *can* change the Bill of Rights, and it *can* make the Government exempt from it. There's no upper house to stop them, no presidential veto*, no supreme court which can strike it down.

It's only "not okay" in the sense that we have a reasonable expectation that the Government respects the principle of the rule of law, constitutional conventions, and the laws which make up our constitution. Because DEMOCRACY.

When you say it out loud, it really makes our constitutional set-up sound stupid. And it kinda is. But it is, nonetheless, a system. And in this system, *we* are the check against Parliamentary power.

To exercise our constitutional responsibilities, we need to start by getting really, really fucked off.

--

* Bonus points: Actually, the Governor-General is the other check in the system. Is this a legitimate case for the GG to refuse to sign this into law? Are there conventions for when the GG should activate their Cause-Constitutional-Crisis powers?

Update: Tool is live!

"On track to surplus"

That's not really true. Revenue projections are down on the 2012 Budget, and the Government would be in deficit - except they cut the Operating Allowance for Budget 2014 by $200m.

I had a crack at Bill English about this during the lock-up; his argument was that money is money - I might as well be saying that of *anything* that saved the government more than $75m, and claim that the government only did that because it would bring them over the threshold.

The difference with changing the Operating Allowance is that they don't have to make any decisions yet - it's just a promise to find some money next year. They really will need to find this money next year, so in that sense, it's quite legitimate. But it makes this "on track to surplus" claim really hollow. It's akin to saying "if I spend less next week, I'll have unspent money". It's true - it just doesn't mean anything.

NZSF

Resumption of contribution to the NZ Super Fund has been delayed, again. It's only a few years, but by Treasury's NZSF model, that matters a lot. By 2033, the NZSF would be $12b smaller (that translates to less money it's feeding back to the government), and about $4b less in tax revenue in the next 20 years.

Of course, that's offset by the decrease in debt and the cost of servicing that debt, and there're the old arguments about whether a dollar in the NZSF is as safe as a dollar less debt.

Student Loans

The Government is getting pretty aggressive about collecting debt from students overseas. Yeah, half the readers of Public Address - that's you, buddy.

• "Fixed repayment obligations and higher repayment thresholds for overseas-based borrowers" (I think they mean lower thresholds though. I think.)
• "[Extending] the child support border arrest system for the most non-compliant overseas-based borrowers"
• "Ongoing information-sharing agreement between IRD and Internal Affairs to collect contact details from passport applications"

More details here.

It's a little horrifying in terms of its aggressiveness, but I also think it makes sense in a lot of ways. Aside from raising the amount of money which is collected, it'll also make it less attractive to try to flee your student loan debt, or to get into the situation where interest stacks up to the point where it becomes impossible for graduates to move back.

It's a big, hideous stick, but I guess good policy doesn't have to be all carrots.

Tertiary Education

• "New funding" for engineering and science that are basically just inflation adjustments (2% increase), but not for other areas.
• Signalling that Management, Commerce and Arts should GFYS: Other higher-cost subjects may see an increase in funding if necessary.
• Private Training Establishments to receive same level of funding as public tertiary education institutions.

Bits and Bobs

• $80m for new irrigation. Sounds like they're going to be building some dam.
• New rules to make multinational corporations pay their "fair share" of taxes. But don't expect Google-windfall - it's is only expected to generate $20m over the next 3 years.
• "Exploring options" or microfinance schemes (low-/no-interest loans) for beneficiaries. Would be great if they get this off the ground - will put predatory finance companies out of business.

--

The interactive visualisation of the Budget is here. If you loaded it up prior to 14:00, remember to refresh your browsers so you're loading up the right one.

For best performance, use Chrome to view it.

--

If you think this kind of blogging/data journalism is worthwhile, I'd really appreciate a few bucks on my Givealittle page. The money is nice, but more importantly, this is an experiment to see if reader-funded independent journalism can work in a small market like NZ.

"Damning" was actually the word used in the MSD press release:

MSD Chief Executive Brendan Boyle says the report is damning around MSD's failure to separate public kiosks from a network containing corporate files.

And it is. The Dimension Data security review of the kiosks came out, and as expected, they were crystal bloody clear:

The most pressing security issue discovered is the lack of network separation of segregation within the environment... This introduces an inherent level of risk as it could allow for a member of the public to gain access to MSD network resources and services. Physical network separation is strongly recomended, and the current solution should not be deployed into a production environment before network separation is achieved.

The problem was listed as "Urgent".

So where are we now? Four "employment investigations" are under way. Boyle refused to say anything about these people, so we don't know their seniority or the nature of their roles. But he did make clear that the decisions didn't get escalated properly - i.e. Senior managers weren't involved. He also said that it simply "dropped off the radar" - that it wasn't a matter of cost-cutting, it was a matter of WTF.

So basically, there is no explanation of why they ignored DiData's report. Hopefully we'll find out more once those "employment investigations" are completed and the second phase of the report comes out.

MSD has also ring-fenced the breach: That although 1432 documents contained personal information, they only contained "highly-sensitive" information about 10 people. It's worth noting that many of those documents contained tens of names. I'd estimate that more than 10,000 individuals were identified in those documents.

Many of those would have been MSD contractors, with pay rates, hours etc. It's private, but not terribly sensitive. Reasonable people can disagree about whether that's a big deal or not. But other names, such as individuals being investigated by the Benefit Fraud Unit or the MSD Intelligence Unit, were also deemed not highly sensitive. That's a big call.

Full report here, via NBR.

UPDATE: Some speculation. The email to MSD from Kay Brereton (the beneficary advocate) describes the problem as:

...was able to access info which gave him the "names" of all the computers on the network

By the time the time it got to MSD, this was described as:

...was able to access the IP addresses (you will know better than I what this means) for all the PC's including staff PC's in the office

Printers were also mentioned.

The original description of the problem sounds exactly like being able to map network drives and seeing the names of all the computers on the network. And you can map network resources through the printer dialogue (let me know if I'm wrong about this).

UPDATE 2: My understanding is that there's no audit trail to determine *who* accessed information, but that there *were* network logs. Boyle talked about not finding any "download patterns" - i.e. People leeching large volumes of data, like I did. That seems like a reasonable way to detect intrusion, unless it was someone who covered their own tracks (in which case no audit trail would help).

"No good can come of a hacker talking to a TV journalist," my hacker friend said when I asked him to go on camera for a TV journo. He was goddamn right.

I gave Paul Craig's name to one journalist on Tuesday morning and to a few others after that. I thought it was pertinent that Dimension Data had one of the world's best kiosk hackers on staff, and therefore it was ludicrious to think that they could have missed the shit-simple security hole I used. In hindsight, I really should have paid heed to my friend's advice: No good could have come of it.

Hey Paul - I'm sorry.

Heather du Plessie-Allan's story on TVNZ missed the point for a lot of reasons. For starters, if she'd watched the whole of Paul Craig's Defcon presentation, she would have seen the smoking gun: 12 minutes in, Craig talked about using Open File dialogues as mini-Explorer windows, and discussed how they could be exploited. This was what we used (albeit in a really unsophisticated way). This was Item #2 on Craig's list. It's just not plausible that he would have failed to warn MSD about it.

Second, here's a rule of thumb: If someone is telling you about their hacking, and the system in question hasn't already been reduced to a steaming pile of goop, they're probably not a "malicious" hacker. Craig attacks systems in the same way that a malicious hacker would, so from a security perspective, he is a "malicious" agent. That doesn't mean he's malicious in the "out to get you" sense. I mean FFS, he works for a security testing company. He's *paid* to break into system. It's utterly ridiculous to call him a malicious hacker, and it stems from a total misunderstanding of the context.

Third, the implication that he's a Bad Guy because he's a "Hacking Teacher". Once again, it shows a fundamental misunderstanding of the nature of these security exploits. Standing in front of a conference explaining exploits is what the *good* hackers do (while we're at it, so is selling the exploits to the originating organisation). The bad hackers keep it for themselves, or sell it on the black market to criminal organisations (who then keep it for themselves). The difference is that once an exploit is made public, it usually gets shut down pretty quick. The best way to take advantage of an exploit is to keep it secret while you use it to compromise systems and steal data.

The upshot is, if they're standing in front of you telling you about their hacks, they're probably not the ones you need to worry about.

Same concept applies to Patrick Gower's story earlier this year as well (which I'm rehashing now with my newfound l33t h4x0r credentials... and because I was actually right). If Murray McCully's email was hacked by Russian hackers after military secrets, they would have sat on that email and used it to compromise other systems. They would not have sent out prank emails. See the Wired guy as an example of how you can overrun everything once you have access to an email.

I bring it up because they're both a part of the same problem. Clearly, computer security has moved beyond being just "IT news". Journalists can't report on it unless they have some basic understanding of it, and they can't get that understanding without talking to real hackers. That isn't that hard... unless they keep doing shit like this.

Update: A journalist called up earlier knowing Ira's name, and asked me to confirm him as my source. It was clear that somebody had given her the name, and the story was due to be published tomorrow. Sorry I wasn't clear about this in the orignal.

Update 2: *Obviously* I've been in touch with Ira this whole time. He was also contacted by the journalist yesterday, we discussed how to proceed and then I wrote this. I got his permission to write this and cleared the draft of this with him before I published this. Like, seriously - what kind of dick did you think I was?

So. The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He currently works as a system administrator, has a young child, and is not interested in being the media limelight. That's why he asked for anonymity.

He did not have any special access to the system - he just had half an hour to kill at a WINZ office. He plugged in his USB drive and it didn't appear, so he had a poke around the system to find it - and found the giant vulnerability instead.

He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it's certainly not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.

MSD didn't know what to do with his request, and it got slowly bumped up the food-chain.

Ira didn't hear back from them, so he talked to me instead. I put him in touch with an experienced hacker. This hacker told us that government organisations in NZ don't really pay for vulnerability reports, and that they were likely to either respond poorly or not at all.

MSD called Ira back two days later. They told Ira that they don't pay for vulnerability reports. Ira told them he'd been talking to a journalist and the conversation didn't go anywhere after that.

At this point, it was clear that Ira was not going to get paid for it, but that it could still be an important story. He showed me the vulnerability - the only condition was that his name be kept out of it. He wasn't interested in being in the limelight.

The rest, I've already blogged. We have since both deleted all the material from our computers, and Ira assured me it's all gone, and I've assured the Privacy Commissioner of this.

Since he called MSD and left his name and number, it was always likely that they'd out him as a diversion. We had hoped that it wouldn't get to that, but it has, which is why I'm writing this now.

Should he have reported the vulnerability, free of charge? Yeah, that would have been the selfless thing to do for the public good. But asking to be compensated for his troubles is not unreasonable, either. After all, it's not as if the people MSD ended up relying on - KPMG - did it for free.