OnPoint by Keith Ng

Read Post

OnPoint: The Source

217 Responses

First ←Older Page 1 2 3 4 5 9 Newer→ Last

  • Dylan Reeve,

    Vulnerability Rewards aren't uncommon. Many (most?) big internet companies will offer them (some are advertised, some are not) as will many other businesses.

    The idea being that a security vulnerability is probably worth money to someone. If you offer some reward to people for reporting them to you it's less likely people will try to profit from them in some other way.

    Had I discovered it I may have handled things the same way that Ira did (well actually I'd probably have publicised it personally rather than going to Keith) - see if MSD wanted to reward my help, otherwise detail the problem (while giving MSD a reasonable heads up) publicly.

    The ways of handling vulnerability reporting are a constant point of contention among the IT security community. Most adopt a "disclose and publish" approach where they tell the affected organisation then some time later publish the details. But some will just publish. Others will basically sell the information into the "black hat" world.

    Auckland • Since Aug 2008 • 311 posts Report Reply

  • Glenn Pearce,

    Suggest you read again Keiths post, toubles his word

    Auckland • Since Feb 2007 • 499 posts Report Reply

  • Ross Mason,

    Heh. Been searching for data on my files and found this topical quote:

    “"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.”

    Rich Cook


    Keith you idiot !!!!!

    Upper Hutt • Since Jun 2007 • 1588 posts Report Reply

  • insider, in reply to Islander,

    Sure bear. Read the second last line of Keith's post - "But asking to be compensated for his troubles is not unreasonable, either. "

    Wellington • Since Sep 2011 • 31 posts Report Reply

  • andin, in reply to insider,

    Read the post would you.

    He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it’s certain not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.

    raglan • Since Mar 2007 • 1881 posts Report Reply

  • insider, in reply to andin,

    Read the post to the end would you

    Wellington • Since Sep 2011 • 31 posts Report Reply

  • Trevor Nicholls, in reply to Glenn Pearce,

    My bad. In context informing the MSD was taking trouble to do the right thing - it's not as if there weren't more lucrative options around. (By the way, do you know how much effort it takes to have a serious conversation with a government department?!)

    Wellington, NZ • Since Nov 2006 • 310 posts Report Reply

  • Tze Ming Mok,

    Seems to me the most responsible thing for Ira to have done after such a lacklustre MSD response would have been... to tell Keith Ng.

    SarfBank, Lunnin' • Since Nov 2006 • 154 posts Report Reply

  • Islander, in reply to Tze Ming Mok,

    Ae!

    Big O, Mahitahi, Te Wahi … • Since Feb 2007 • 5643 posts Report Reply

  • FiFi, in reply to Sacha,

    No it's not blackmail. In fact they (winz staff) try the same tricks when they are in the wrong and don't want to be exposed. I have first hand experience of that. Besides these things don't happen by accident they happen for a reason. Seems like sweet justice for Ira for the wrong doing inflicted on him by a government department.

    Auckland • Since Oct 2012 • 6 posts Report Reply

  • Marc C,

    Yes, nothing new this is again. The oooh so loving and caring 'Crown' (acting in the form of the government and its agencies, departments and ministries on its behalf) always "cares" for us, and treats us in absolute "good faith" all the time, aye?

    They expect a common citizen to come and sort their problems out for them, free of charge, while we get presented user charges, fees, penalties and whatsoever, when we ask for something, need something and in some case fail to deliver.

    Also WINZ swiftly comes with sanctions, arrogantly demand full disclosure and more, when clients deal with them, being the weaker, often legally illiterate party. Yet when we seek transparency, accountability and service delivery and integrity, then they treat many of us with contempt, fob us off and "shit" on us.

    I am appalled, yet again, about the arrogance and two facedness of WINZ and MSD. They show how much they care in the following story and case too:

    http://www.stuff.co.nz/sunday-star-times/latest-edition/7779516/Jobless-battler-takes-on-Winz-for-a-3-cause

    http://www.odt.co.nz/news/dunedin/229829/beneficiary-fighting-court

    "We are there for you and want to ensure you get the support you need", something along those lines is their ususal propaganda!

    BS through and through!

    Take a stand and confront them, liars!

    Akl • Since Oct 2012 • 437 posts Report Reply

  • FiFi, in reply to Ross Mason,

    Well spending money on making sure their systems work would be out of the question, because it might dip into their christmas bonus money and we can't have that can we.

    Auckland • Since Oct 2012 • 6 posts Report Reply

  • FiFi, in reply to Marc C,

    Isn't it amazing that they can spend so much tax payers money to fight decisions they don't like but when it comes to giving people what they are entitled to they come at you with this savings BS.

    Auckland • Since Oct 2012 • 6 posts Report Reply

  • Keith Ng, in reply to Trevor Nicholls,

    By the way, do you know how much effort it takes to have a serious conversation with a government department?!

    Well I could tell you how much money it *costs* to have a conversation with a government department... except the Privacy Commissioner would waterboard me.

    Auckland • Since Nov 2006 • 543 posts Report Reply

  • Ben Masters,

    Troubles? Yes he must've worked so hard to plug in his USB drive. Heaven forbid that his drive not appear (at least geni got that far), he sticks his nose where it shouldn't have been able to get to. How bitter do you have to be, when finding a breach in "national security", that, upon realizing you weren't going to be paid for your "troubles" you felt the need to go behind the back of MSD and break this story.

    And to the Urewera saga. A simple definition of terrorist: a person who terrorizes or frightens others. Discharging a shotgun around a large crowd, that frightens the shit out of me. To think it is ok, disgusting.

    Feilding • Since Oct 2012 • 1 posts Report Reply

  • FiFi,

    This article was really disturbing

    Winz manager sacked after bar fight with client

    http://www.nzherald.co.nz/winz/news/article.cfm?o_id=247&objectid=10804728

    Auckland • Since Oct 2012 • 6 posts Report Reply

  • Islander, in reply to Ben Masters,

    And to the Urewera saga. A simple definition of terrorist: a person who terrorizes or frightens others. Discharging a shotgun around a large crowd, that frightens the shit out of me. To think it is ok, disgusting.

    Report Reply

    Ben Masters -your intellect is sort of on the level of a paua - cling on to the same old same old and never question anything-

    I normally welcome people to PAS (as do all longterm PAS people) BUT


    do you actually understand the ramifications of anything you said?

    Big O, Mahitahi, Te Wahi … • Since Feb 2007 • 5643 posts Report Reply

  • papango, in reply to Ben Masters,

    How bitter do you have to be, when finding a breach in “national security”, that, upon realizing you weren’t going to be paid for your “troubles” you felt the need to go behind the back of MSD and break this story.

    I'm not really convinced by that to be honest. It looks to me like he asked at MSD and got a pretty slack response. Which doesn't surprise me because the chances that he was actually allowed to speak to someone in IT who understood the problem are nil, at best. They didn't think they had a problem and they weren't interested in listening to someone tell them they did.

    Wellington • Since Jan 2012 • 19 posts Report Reply

  • FiFi,

    The dept mess ups that just keep giving

    Too old, Winz tells mum, 42

    http://www.nzherald.co.nz/winz/news/article.cfm?o_id=247&objectid=10840371

    You know after the hassles I have had with them lately I am feeling a sense of sweet justice as well. I was hoping to find a journalist to write a report with me but I haven't been able to find one yet.

    Auckland • Since Oct 2012 • 6 posts Report Reply

  • Ian Dalziel,

    classic Lift Pitch endings...

    ... and found the giant vulnerability instead.

    There has to be a kids book in that
    or some kinda kidult blend...
    dibs on....

    Christchurch • Since Dec 2006 • 7887 posts Report Reply

  • Dylan Reeve, in reply to Ben Masters,

    How bitter do you have to be, when finding a breach in “national security”, that, upon realizing you weren’t going to be paid for your “troubles” you felt the need to go behind the back of MSD and break this story.

    Breaking the story is pretty much the norm. Even with most vulnerability reward programs the person reporting the issue is still allowed (in some cases encouraged) to publicly report it however they wish - the only limitation is timing.

    Sure, he could have just told someone at MSD about the issue, although according to news reports today someone had already tried that. Instead by telling a journalist he made sure the problem would be properly addressed and the MSD still got advance notice so they could mitigate immediate damage.

    Nothing Ira or Keith did here is improper or unreasonable. Had MSD (or NZ government in general) been operating a vulnerability reward system the only thing (hopefully) that would have changed here is that MSD would have got more details sooner, but everything else should have remained exactly the same.

    Auckland • Since Aug 2008 • 311 posts Report Reply

  • Dylan Reeve,

    As an aside to all this I think the NZ Government should establish an IT advisory group that can co-ordinate with any and all government IT departments on issues like this and that group should institute and publicise a Vulnerability Reward program. The data we're talking about is just too important to rely on the hope that "good citizens" will report whatever they find and that random IT departments will act appropriately.

    Auckland • Since Aug 2008 • 311 posts Report Reply

  • FiFi, in reply to Ben Masters,

    And government departments don't terrorize people with their threats and ill treatment? What do you call what this government is doing to people, it is a form of terrorisom disguised as law.

    Auckland • Since Oct 2012 • 6 posts Report Reply

  • Ross Mason,

    Well said Dylan Reeve. I heartily agree. It should not be beyond the wit of the collective expertise - and I mean within the Govt orgs - to disappear to a hideout for a week or two to devise systems that are useful to Govt and more importantly the citizenry of our fair country.

    Why do we insist each org has to have its own?? And it seems that Brendon Boyles previous lives may be just the ticket to finish what the Govt started.

    Lets do it Folks!!

    Upper Hutt • Since Jun 2007 • 1588 posts Report Reply

  • papango, in reply to Dylan Reeve,

    You'll laugh (or cry, or both), but we actually already have one. The New Zealand National Cyber Security Centre is an actual thing. It's got strategy documents and forms and an info security manual that runs to 297 pages. You'll be shocked, shocked!, to learn that they are ignoring this and hoping nobody asks what it is they do again or why we're paying for it.

    Wellington • Since Jan 2012 • 19 posts Report Reply

First ←Older Page 1 2 3 4 5 9 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.