14 DAY TRIAL // Yesterday we learned that an unnamed individual had identified a serious security breach in the Internet kiosks set up at the New Zealand Work and Income (WINZ) offices. Journalist Keith Ng, the one who made the story public, revealed the identity of the anonymous informant.
The man is Ira Bailey, an activist whose name appeared in a number of articles back in 2007 after he was arrested as part of the Urewera incident. He initially asked for anonymity to protect his family.
“He did not have any special access to the system – he just had half an hour to kill at a WINZ office. He plugged in his USB drive and it didn’t appear, so he had a poke around the system to find it – and found the giant vulnerability instead,” Ng explained in a follow-up article.
Apparently, Bailey didn’t demand a reward for his findings. He simply thought that maybe the Ministry of Social Development had a bounty program set in place for reporting security problems, similar to Facebook and Google.
Since the ministry’s representatives failed to answer his request, the man contacted the journalist, considering that the issue was too important to just let it slide.
When the Ministry of Social Development contacted him again, they told Bailey that there wasn’t such a bug bounty program and that he was not going to get paid for his discovery.
“At this point, it was clear that Ira was not going to get paid for it, but that it could still be an important story. He showed me the vulnerability – the only condition was that his name be kept out of it. He wasn’t interested in being in the limelight,” Ng added.
Since it was likely that authorities would discover his identity based on the name and phone number he used when contacting the ministry, he decided to make it public.
Both Ng and Bailey have deleted the information they copied from WINZ machines during their tests.